If you are unfamilar with signing executables for UEFI SecureBoot see How to Sign UEFI Drivers & Applications from the TianoCore EDK2 website.
Here is a simple Makefile which can be used to create the necessary keys:
#
# Make all keys for UEFI SecureBoot
#
TOPDIR := $(shell pwd)/
.SUFFIXES: .crt
all: PK.crt PK.key KEK.crt KEK.key DB.crt DB.key
PK.crt KEK.crt DB.crt:
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$*/" -keyout $*.key -out $@ -days 3650 -nodes
.KEEP: PK.crt PK.key KEK.crt KEK.key DB.crt DB.key
%.cer: %.crt
openssl x509 -in $< -out $@ -outform DER
%-subkey.csr:
openssl req -new -newkey rsa:2048 -keyout $*-subkey.key -subj "/CN=Subkey $* of KEK/" -out $@ -nodes
%-subkey.crt: %-subkey.csr KEK.crt
openssl x509 -req -in $< -CA DB.crt -CAkey DB.key -set_serial 1 -out $@ -days 365
clean:
rm -f PK.* KEK.* DB.*
Naturally, you may have to modify it to suit your own particular setup but the above should give you a good starting point.
