Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Getting Started with CTE for Linux

CTE Agent Installation with UEFI Secure Boot

search

Please Note:

CTE Agent Installation with UEFI Secure Boot

If you want to install the CTE Agent software on a Linux system that has UEFI Secure Boot enabled, you must first download the appropriate Thales public certificate and add that certificate to the MOK (Machine Owner Key) list on the host.

The Thales public certificate is valid for three years from the date of issuance. Six months before the current public certificate is set to expire, Thales will release an advisory along with the new certificate that will become valid after the six month grace period expires. You can add the new certificate to the MOK list on all UEFI Secure Boot hosts any time before the old certificate expires, and CTE will automatically start using the new certificate when the old certificate expires.

Public Certificate Naming Convention

The Thales public certificate name is CTE_Secure_Boot_Cert_MM-DD-YYYY.der. For example, CTE_Secure_Boot_Cert_05-15-2023.der.

Getting the Current Public Certificate

You can get the current public certificate in any of the following ways:

  • From the CTE Agent installation file using the -e option. For example:

     ./vee-fs-7.4.0-95-rh8-x86_64.bin -e

  • Download from the Thales public directory CTE_Secure_Boot Repository

    $ curl -O https://packages.vormetric.com/pub/CTE_Secure_Boot/CTE_Secure_Boot_Cert_05-15-2023.pem

  • Thales Customer Support Portal: KB0027431 The certificate on these sites is in PEM format. It must be converted to DER format before it can be added to the MOK list.

    For example, if the current certificate name is CTE_Secure_Boot_Cert_05-15-2023.pem, convert the certificate using the following command:

     openssl x509 -inform PEM -outform DER -in CTE_Secure_Boot_Cert_05-15-2023.pem \
 -out CTE_Secure_Boot_Cert_05-15-2023.der

Adding the Certificate to the MOK List

During this procedure, you will need to reboot the Linux host and then respond to a system prompt as soon as the host restarts. Make sure that all users accessing the host know that it will reboot and that you can respond to the system prompt as soon as the host restarts.

  1. Log into the host as root.

  2. Use the mokutil --import <cert-name> command to add the certificate to the MOK list. For example, if the certificate name is CTE_Secure_Boot_Cert_05-15-2023.der, enter:

     mokutil --import CTE_Secure_Boot_Cert_05-15-2023.der

  3. Enter and confirm a password for this request when prompted.

  4. Reboot the host and follow the instructions on the console when the host is back online. You will need to enter the password you created in the previous step when prompted. For detailed information, refer to the specific instructions from each linux distribution.

    If you do not respond to the system prompt to update the MOK when the host restarts, the prompt will time out and you will need to run the mokutil command again.

  5. When prompted, reboot the host again.

  6. After the host has rebooted for the second time, verify that the certificate has been properly added to the MOK list using the mokutil --test-key command. For example:

     mokutil --test-key CTE_Secure_Boot_Cert_05-15-2023.der

    Response

    CTE_Secure_Boot_Cert_05-15-2023.der is already enrolled

On this page