Description of problem:
I build custom kernels so I can use an rtl2832 as an entropy gathering device.  When I create local keys and sign those kernels using pesign, they show as signed, but the boot process does not recognize them.  mokutil shows the key to be in the mok database.

Version-Release number of selected component (if applicable):
Name        : pesign
Version     : 0.112
Release     : 22.fc28
Architecture: x86_64


How reproducible:
Every time.


Steps to Reproduce:
1. Build a custom kernel
2. Sign with local key
3. See below for key creation process

Actual results:
Secure boot rejects the kernel, though it boots fine with secure boot turned off.

Expected results:
Secure boot boots kernel.

Additional info:

This is the procedure used to create the local signing keys to sign a custom kernel for UEFI secure boot.  It is scrounged from a document by a SUSE developer, the Fedora pesign man page, and other bits and pieces from around the web.  Since it isn't working, it might be wrong, though the parts I can examine seems to be working.  Perform while running in secure boot UEFI.

If you are going to do this where security is important, you should do it on a USB key so you can remove it from the system when done.  Here, I did it all in /root and in /etc/pki/pesign.

The configuration file needed for openssl to create the keys.
Create in the home directory for root.  You can cut and paste the below.
cat configuration_file.config 

[ req ]
default_bits = 4096
distinguished_name = Fedora Installation
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ Fedora Installation ]
O = TipTop
CN = kernel_signing_key
emailAddress = oort_cloud

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid


=Creating the public and private key.
openssl req -x509 -new -newkey rsa:4096 -nodes -utf8 -sha256 -days 36500 -batch -config ./configuration_file.config -outform DER -out public_key.der -keyout private_key.priv

=Telling mok that on next boot, use root password to import key into its
=database.  This is using root password for verification.  Only works in secure =boot.
mokutil -P --import public_key.der

=At next secure boot a dialog will come up.  If you select the wrong entry, you =will go down the rabbit hole, and will have to do the setup again as there =doesn't seem to be any recovery.  ESC doesn't take you up a level.  I think it =is the top entry you want.

=Check that it has been added with
mokutil -l
=This only works when booted in UEFI secure boot.

=Converting der to pem using openssl.
openssl x509 -inform DER -in public_key.der -outform PEM -out public_key.pem

=Convert the private key and pem certificate to a pk12 structure.
openssl pkcs12 -export -inkey private_key.priv -in public_key.pem -name kernel_cert -out kernel_cert.p12
Enter Export Password:
Verifying - Enter Export Password:

=Import pkcs12 file into pesign db
pk12util -i kernel_cert.p12 -d /etc/pki/pesign
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL

=Replace vmlinuz.signed and bzImage with the vmlinuz of the kernel being signed.
=Sign the new kernel.  Note that --force isn't implemented yet, so can't do in =place.
pesign  --certdir /etc/pki/pesign --certificate kernel_cert --in /boot/vmlinuz-5.2.0-0.rc4.git0.1.20190612.fc31.x86_64 --out /boot/vmlinuz-5.2.0-0.rc4.git0.1.20190612.fc31.x86_64.signed --sign

# Check signing
pesign -S -i vmlinuz-5.2.0-0.rc4.git0.1.20190612.fc31.x86_64.signed

Replace the original kernel with the signed version.

This is the custom kernel that fails to boot.

 pesign -S -i /boot/vmlinuz-5.2.0-0.rc4.git0.1.20190610.fc31.x86_64
---------------------------------------------
certificate address is 0x7f62ad9cf4a8
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Red Hat Test Certificate
No signer email address.
Signing time: Mon Jun 10, 2019
There were certs or crls included.
---------------------------------------------
certificate address is 0x7f62ad9cffa0
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is kernel_signing_key
The signer's email address is oort_cloud
Signing time: Tue Jun 11, 2019
There were certs or crls included.
---------------------------------------------

This is a stock fedora kernel signed with the local key, and it *does* boot.

$ pesign -S -i /boot/vmlinuz-5.2.0-0.rc3.git0.1.fc31.x86_64
---------------------------------------------
certificate address is 0x7f978a627988
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Fedora Secure Boot Signer
No signer email address.
Signing time: Mon Jun 03, 2019
There were certs or crls included.
---------------------------------------------
certificate address is 0x7f978a6282d0
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is kernel_signing_key
The signer's email address is oort_cloud
Signing time: Wed Jun 12, 2019
There were certs or crls included.
---------------------------------------------