Dell bios expert key management question (only for Tesla or similar level tech experts)

The goal is to use Dell factory PK key to sign Microsoft KEK 2023 then append the signed copy to factory KEK.

Tesla may know the tricks but I still don’t understand how to create pk.key and pk.crt in the first place.  
background: KEK 2023 is not deployed by Windows update on legacy or old Dell

Hi

I know I am not qualified to answer, but the internet knows more than me.........

To create PK.key and PK.crt for Secure Boot on a Windows‑7‑capable UEFI system, you generate a self‑signed X.509 certificate (the Platform Key) using OpenSSL, then enroll it in the UEFI firmware. You normally do this on a Windows box with PowerShell + OpenSSL, or on Linux, then copy the .cer (DER) file to a USB stick for UEFI enrollment.

What PK.key and PK.crt are

• PK.key is the private RSA key that signs the other Secure Boot keys (KEK, DB).

• PK.crt is the self‑signed X.509 certificate that the firmware trusts as the root of the Secure Boot chain.

UEFI expects the certificate in DER format (.cer), not PEM, so you usually convert PK.crt to PK.cer afterward.

Step 1: Install OpenSSL (on Windows)

If you’re doing this from Windows 7:

• Download a Windows OpenSSL build (e.g., from a reputable source like https://github.com/openssl/openssl or a signed package).

• Or, on a Linux machine, run the OpenSSL commands there and copy the files to USB for the target system.

Step 2: Generate PK.key and PK.crt

In a command prompt or terminal where OpenSSL is available:

This:

• generates a 2048‑bit RSA private key (PK.key),

• creates a self‑signed X.509 cert (PK.crt) valid for 10 years, with subject “My Platform Key”.

You can change /CN=... to your own name or organization.

Step 3: Convert PK.crt to DER (PK.cer)

UEFI Secure Boot wants the certificate in DER format:

Now you have:

• PK.key – keep this secret and offline.

• PK.cer – this is what you load into UEFI’s “Enroll PK” or “Custom Mode” menu.

Step 4: Enroll the PK in UEFI (Windows 7 system)

On the target machine:

1. Reboot and enter UEFI Setup (usually F2, F10, or Del).

2. Go to Secure Boot Configuration → switch to Custom Mode.

3. Select Enroll Platform Key (PK) → Enroll PK from File.

4. Browse to the USB stick and pick PK.cer.

5. Confirm and reboot; Secure Boot will now be in “User Mode” under your PK.

Later you can similarly generate and enroll KEK and DB keys if you want to sign your own bootloaders or Windows images.

Also you may already have tried the above.

Yes it seems one can create own key and get rid of Dell key…

question is how to use Dell factory key to sign new cert 

if I DL Dell key on bios it has no extension, ? raw binary.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface

AI:

It is generally impossible for end-users to obtain the private half of the OEM Platform Key (PK) because it is a "root of trust" secret held securely by the Original Equipment Manufacturer (OEM) to sign firmware. While end-users can replace the PK with their own self-signed keys, the original private key used by the OEM to sign factory firmware is not accessible. 

question for Tesla: how did Tesla manage to update R6? I guess he must have deleted the factory key and installed new personal private key

I tried native Linux. Deleting all Dell keys.  Create new keys.  Dell bios would not work with me. If I save a Dell bios pk, it would not even acknowledge it back.  If I create my own private key, Dell bios would not accept it either.  Seems about to give up unless Tesla has some insight on why it would not work.

@redxps630​ ,

1. how did Tesla manage to update R6?

2. I guess he must have deleted the factory key and installed new personal private key

2. AFAIK, the only way to "delete a key" is to Reset to Factory (Default) Keys and then not include it in the first place.

Once keys are added to the "Current" DB (the one the computer actually uses to boot) they can only be Revoked (seems like included but ignored).

1. I carefully used the open-source script package (that I shared with your Privately). I only used the (one proper) script, and followed its directions carefully and methodically. I was really trying to avoid another red-box SecureBoot-Violation lock-out and lock-down (and was somehow successful in adding the KEK and doing do).  

As I told you by DM, I do not wish to discuss this in any public forum. However, I would be glad to help you, and have provided multiple other private and semi-private ways to facilitate that. You can just continue in either of those.