2022-04-17T05:00:00Z
This is in response to https://docs.fedoraproject.org/en-US/quick-docs/kernel/build-custom-kernel/. The title of the page is “Building a custom kernel.”
I will include a snip from the page so you will know what I mean when I say :the security steps:
_______ B E G I N N I N G O F S N I P _______
Blockquote
Get the Dependencies
The easiest way to install all the build dependencies for the kernel is to use the Fedora kernel spec file:
sudo dnf install fedpkg
fedpkg clone -a kernel
cd kernel
sudo dnf builddep kernel.spec
If you want to use make xconfig, you’ll need some additional packages:
sudo dnf install qt3-devel libXi-devel gcc-c++
Secure boot
Make sure you add the user doing the build to /etc/pesign/users and run the authorize user script:
sudo /usr/libexec/pesign/pesign-authorize
Create a new Machine Owner Key (MOK) to import to UEFI:
openssl req -new -x509 -newkey rsa:2048 -keyout “key.pem”
-outform DER -out “cert.der” -nodes -days 36500
-subj “/CN=/”
Import the new certificate into your UEFI database:
You will be asked to authorize the import at next boot.
mokutil --import “cert.der”
Create a PKCS #12 key file:Get the Dependencies
The easiest way to install all the build dependencies for the kernel is to use the Fedora kernel spec file:
sudo dnf install fedpkg
fedpkg clone -a kernel
cd kernel
sudo dnf builddep kernel.spec
If you want to use make xconfig, you’ll need some additional packages:
sudo dnf install qt3-devel libXi-devel gcc-c++
Secure boot
Make sure you add the user doing the build to /etc/pesign/users and run the authorize user script:
sudo /usr/libexec/pesign/pesign-authorize
Create a new Machine Owner Key (MOK) to import to UEFI:
openssl req -new -x509 -newkey rsa:2048 -keyout “key.pem”
-outform DER -out “cert.der” -nodes -days 36500
-subj “/CN=/”
Import the new certificate into your UEFI database:
You will be asked to authorize the import at next boot.
mokutil --import “cert.der”
Create a PKCS #12 key file:
openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der
_________ E N D S N I P _________
I followed along with these plainly-written instructions, until the last instructio in the snip:
openssl pkcs12 …
The response I got from the system was “Unable to load keys.”
I am writing this on the off chance that someone else has had a similar experience, and knows why openssl would give me that error, “Unable to load keys.”
If you have an answer, please give me a shout.
Thanks,
Bryguy