[name]
cert-to-efi-hash-list - tool for converting openssl certificates to EFI signature hash revocation lists

[examples]

To take a standard X509 certificate in PEM format and
produce an output EFI signature list file, simply do

cert-to-efi-hash-list PK.crt PK.esl

Note that the format of EFI signature list files is such
that they can simply be concatenated to produce a file with
multiple signatures:

cat PK1.esl PK2.esl > PK.esl

If your platform has a setup mode key manipulation ability,
the keys will often only be displayed by GUID, so using the
-g option to give your keys recognisable GUIDs will be
useful if you plan to manage lots of keys.

[see also]

sign-efi-sig-list(1) for details on how to create an
authenticated update to EFI secure variables when the EFI
system is in user mode.

[note]

Signature revocation hashes are only implemented in UEFI 2.4 and up