diff --git a/man/ukify.xml b/man/ukify.xml
index 33d9d26d2de..06ae550530d 100644
--- a/man/ukify.xml
+++ b/man/ukify.xml
@@ -329,6 +329,14 @@
This option is required by SecureBootSigningTool=pesign/.
+
+ SecureBootCertificateValidity=DAYS
+
+
+ Period of validity (in days) for a certificate created by
+ genkey. Defaults to 3650, i.e. 10 years.
+
+
SigningEngine=ENGINE
diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
index 4fc3ce2e192..3db2bac384a 100755
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@@ -759,8 +759,8 @@ def temporary_umask(mask: int):
def generate_key_cert_pair(
common_name: str,
+ valid_days: int,
keylength: int = 2048,
- valid_days: int = 365 * 10, # TODO: can we drop the expiration date?
) -> tuple[bytes]:
from cryptography import x509
@@ -835,7 +835,10 @@ def generate_keys(opts):
if opts.sb_key or opts.sb_cert:
fqdn = socket.getfqdn()
cn = f'SecureBoot signing key on host {fqdn}'
- key_pem, cert_pem = generate_key_cert_pair(common_name=cn)
+ key_pem, cert_pem = generate_key_cert_pair(
+ common_name=cn,
+ valid_days=opts.sb_cert_validity,
+ )
print(f'Writing SecureBoot private key to {opts.sb_key}')
with temporary_umask(0o077):
opts.sb_key.write_bytes(key_pem)
@@ -1153,6 +1156,14 @@ uki.addon,1,UKI Addon,uki.addon,1,https://www.freedesktop.org/software/systemd/m
help = 'required by --signtool=pesign. pesign needs a certificate nickname of nss certificate database entry to use for PE signing',
config_key = 'UKI/SecureBootCertificateName',
),
+ ConfigItem(
+ '--secureboot-certificate-validity',
+ metavar = 'DAYS',
+ dest = 'sb_cert_validity',
+ default = 365 * 10,
+ help = "period of validity (in days) for a certificate created by 'genkey'",
+ config_key = 'UKI/SecureBootCertificateValidity',
+ ),
ConfigItem(
'--sign-kernel',