HP Sure Recover User Guide
Table Of Contents
- Getting started
- Creating a corporate image
- Using the HP Sure Recover Agent Within a Corporate Firewall
- Working with the HP Client Management Script Library (CMSL)
- Troubleshooting

[System.IO.File]::WriteAllLines($pathToManifest + '\' + $mftFilename, 
$content, $encoding)
2. Save the script.
3. Execute the script.
powershell .\generate-manifest.ps1
Generating manifest signature
Sure Recover validates the agent and image using cryptographic signatures. The following examples use a 
private/public key pair in X.509 PEM format (.PEM extension). Adjust the commands as appropriate to use DER 
binary 
certicates (.CER or .CRT extension), BASE-64 encoded PEM certicates (.CER or .CRT extension), or 
PKCS1 PEM les (.PEM extension). The example also uses OpenSSL, which generates signatures in big-endian 
format. You can use any utility to sign manifests, but some BIOS versions only support signatures in little-
endian format.
1. Generate a 2048-bit RSA private key using the following command. If you have a 2048-bit RSA private/
public key pair in pem format, copy them to C:\staging, and then skip to step 3.
openssl genrsa -out my-recovery-private.pem 2048
2. Generate the public key from your private key (if you have a public key corresponding to your private key 
in PEM format, copy it to C:\staging), using the following command:
openssl rsa -in my-recovery-private.pem -pubout -out my-recovery-
public.pem
3. Create a signature le (using sha256-based hash) based on your 2048-bit RSA private key from step 1, 
using the following command:
openssl dgst -sha256 -sign my-recovery-private.pem -out custom.sig 
custom.mft
4. Verify the signature le, using your public key from the previous step, using the following command:
openssl dgst -sha256 -verify my-recovery-public.pem -signature 
custom.sig custom.mft
NOTE:
● If you need to create a signature le only, the required steps are 1 and 3.
● For HP Sure Recover, the minimum required steps are 1, 2, and 3. You need the public key from step 2 to 
provision your target system.
● Step 4 is optional but recommended so that your signature le and manifest le validate correctly.
Hosting the les
Host the following les on your server from the C:\staging folder:
● *.swm
● custom.mft (or the le name you chose for the manifest le)
● custom.sig (or the matching le name you chose for the signature le)
8 Chapter 2 Creating a corporate image










