Generate soft keys #

Prerequisites #

Install openssl.

sudo apt install openssl

Generate keys and create certificates #

openssl req -newkey rsa:4096 -nodes -x509 -days 3650 -addext "basicConstraints=CA:false" -subj "/O=System Transparency/CN=PK"  -keyout PK.priv  -out PK.crt
openssl req -newkey rsa:4096 -nodes -x509 -days 3650 -addext "basicConstraints=CA:false" -subj "/O=System Transparency/CN=KEK" -keyout KEK.priv -out KEK.crt
openssl req -newkey rsa:4096 -nodes -x509 -days 3650 -addext "basicConstraints=CA:false" -subj "/O=System Transparency/CN=db"  -keyout db.priv  -out db.crt

Debrief #

You should see that the private-key files PK.priv, KEK.priv, and db.priv were created. You should also see that the corresponding certificate files PK.crt, KEK.crt and db.crt were created with a validity window of 10 years.

openssl x509 -in PK.crt  -text -noout
openssl x509 -in KEK.crt -text -noout
openssl x509 -in db.crt  -text -noout

Both the private keys and the certificate files are in PEM format.