UEFI Secure Boot Tutorial
Intel recently posted the "Practical UEFI Secure Boot" video series to YouTube, which address common questions about using this feature with Microsoft Windows 8 & Linux.
Information referenced by the videos is included below.
Required Security Credentials
Key Exchange Key (KEK): http://www.microsoft.com/pkiops/certs/MicCorKEKCA2011_2011-06-24.crt
There are two DB entries - one for Windows and one for the UEFI Certificate Authority (CA).
The UEFI DB entry allows binaries signed against the UEFI certificate authority to run when secure boot is enabled. This includes UEFI drivers, option ROMs and various Linux bootloaders. The Microsoft DB entries are specific to Microsoft Windows 8.
The GUID associated with these certificates is 77fa9abd-0359-4d32-bd60-28f4e78f784b
Generating a PK using OpenSSL
openssl req -new -x509 -newkey rsa:2048 -keyout PK.key -out PK.crt
openssl x509 -in PK.crt -out PK.cer -outform DER
For more information on signing UEFI code for use with Secure Boot, refer to the "Signing UEFI Applications and Drivers for UEFI Secure Boot" document at tianocore.org.