diff --git a/man/uki.conf.example b/man/uki.conf.example
index 84a9f77b8d7..9fcae71e852 100644
--- a/man/uki.conf.example
+++ b/man/uki.conf.example
@@ -1,14 +1,14 @@
[UKI]
-SecureBootPrivateKey=/etc/kernel/secure-boot.key.pem
-SecureBootCertificate=/etc/kernel/secure-boot.cert.pem
+SecureBootPrivateKey=/etc/kernel/secure-boot-key.pem
+SecureBootCertificate=/etc/kernel/secure-boot-certificate.pem
[PCRSignature:initrd]
Phases=enter-initrd
-PCRPrivateKey=/etc/kernel/pcr-initrd.key.pem
-PCRPublicKey=/etc/kernel/pcr-initrd.pub.pem
+PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key-initrd.pem
+PCRPublicKey=/etc/systemd/tpm2-pcr-public-key-initrd.pem
[PCRSignature:system]
Phases=enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit
enter-initrd:leave-initrd:sysinit:ready
-PCRPrivateKey=/etc/kernel/pcr-system.key.pem
-PCRPublicKey=/etc/kernel/pcr-system.pub.pem
+PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key-system.pem
+PCRPublicKey=/etc/systemd/tpm2-pcr-public-key-system.pem
diff --git a/man/ukify.xml b/man/ukify.xml
index 983e89c270e..a11eb85c917 100644
--- a/man/ukify.xml
+++ b/man/ukify.xml
@@ -619,11 +619,11 @@
--initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \
--sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
uki.author.myimage,1,UKI for System,uki.author.myimage,1,https://uapi-group.org/specifications/specs/unified_kernel_image/' \
- --pcr-private-key=pcr-private-initrd-key.pem \
- --pcr-public-key=pcr-public-initrd-key.pem \
+ --pcr-private-key=tpm2-pcr-private-key-initrd.pem \
+ --pcr-public-key=tpm2-pcr-public-key-initrd.pem \
--phases='enter-initrd' \
- --pcr-private-key=pcr-private-system-key.pem \
- --pcr-public-key=pcr-public-system-key.pem \
+ --pcr-private-key=tpm2-pcr-private-key-system.pem \
+ --pcr-public-key=tpm2-pcr-public-key-system.pem \
--phases='enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit \
enter-initrd:leave-initrd:sysinit:ready' \
--pcr-banks=sha384,sha512 \
@@ -638,9 +638,9 @@
and initramfs-6.0.9-300.fc37.x86_64.img.
The policy embedded in the .pcrsig section will be signed for the initrd (the
enter-initrd phase) with the key
- pcr-private-initrd-key.pem, and for the main system (phases
+ tpm2-pcr-private-key-initrd.pem, and for the main system (phases
leave-initrd, sysinit, ready) with the
- key pcr-private-system-key.pem. The Linux binary and the resulting
+ key tpm2-pcr-private-key-system.pem. The Linux binary and the resulting
combined image will be signed with the SecureBoot key sb.key.
@@ -655,19 +655,19 @@
Initrd=early_cpio
Cmdline=quiet rw rhgb
-SecureBootPrivateKey=sb.key
-SecureBootCertificate=sb.cert
+SecureBootPrivateKey=secure-boot-key.pem
+SecureBootCertificate=secure-boot-certificate.pem
SignKernel=yes
PCRBanks=sha384,sha512
[PCRSignature:initrd]
-PCRPrivateKey=pcr-private-initrd-key.pem
-PCRPublicKey=pcr-public-initrd-key.pem
+PCRPrivateKey=tpm2-pcr-private-key-initrd.pem
+PCRPublicKey=tpm2-pcr-public-key-initrd.pem
Phases=enter-initrd
[PCRSignature:system]
-PCRPrivateKey=pcr-private-system-key.pem
-PCRPublicKey=pcr-public-system-key.pem
+PCRPrivateKey=tpm2-pcr-private-key-system.pem
+PCRPublicKey=tpm2-pcr-public-key-system.pem
Phases=enter-initrd:leave-initrd
enter-initrd:leave-initrd:sysinit
enter-initrd:leave-initrd:sysinit:ready
@@ -687,8 +687,8 @@ $ ukify -c ukify.conf build \
Kernel command line PE addon
ukify build \
- --secureboot-private-key=sb.key \
- --secureboot-certificate=sb.cert \
+ --secureboot-private-key=secure-boot-key.pem \
+ --secureboot-certificate=secure-boot-certificate.pem \
--cmdline='debug' \
--sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
uki-addon.author,1,UKI Addon for System,uki-addon.author,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html'
@@ -709,12 +709,12 @@ $ ukify -c ukify.conf build \
Next, we can generate the certificate and keys:
# ukify genkey --config=/etc/kernel/uki.conf
-Writing SecureBoot private key to /etc/kernel/secure-boot.key.pem
-Writing SecureBoot certificate to /etc/kernel/secure-boot.cert.pem
-Writing private key for PCR signing to /etc/kernel/pcr-initrd.key.pem
-Writing public key for PCR signing to /etc/kernel/pcr-initrd.pub.pem
-Writing private key for PCR signing to /etc/kernel/pcr-system.key.pem
-Writing public key for PCR signing to /etc/kernel/pcr-system.pub.pem
+Writing SecureBoot private key to /etc/kernel/secure-boot-key.pem
+Writing SecureBoot certificate to /etc/kernel/secure-boot-certificate.pem
+Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-initrd.pem
+Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-initrd.pem
+Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-system.pem
+Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-system.pem
(Both operations need to be done as root to allow write access