+<li>If it's not already installed, install OpenSSL on your computer. (It
+ normally comes in a package called <tt>openssl</tt>.)</li>
+
+<li>If you did <i>not</i> re-sign your rEFInd binaries with
+ <tt>install.sh</tt>'s <tt>--localkeys</tt> option, type the following
+ two commands to generate your public and private keys:
+
+<pre class="listing">
+$ <tt class="userinput">openssl req -new -x509 -newkey rsa:2048 -keyout refind_local.key \
+ -out refind_local.crt -nodes -days 3650 -subj "/CN=Your Name/"</tt>
+$ <tt class="userinput">openssl x509 -in refind_local.crt -out refind_local.cer -outform DER</tt>
+</pre>
+
+ Change <tt>Your Name</tt> to your own name or other identifying
+ characteristics, and adjust the certificate's time span (set via
+ <tt>-days</tt>) as you see fit. If you omit the <tt>-nodes</tt> option,
+ the program will prompt you for a passphrase for added security.
+ Remember this, since you'll need it to sign your binaries. The result
+ is a private key file (<tt>refind_local.key</tt>), which is highly
+ sensitive since it's required to sign binaries, and two public keys
+ (<tt>refind_local.crt</tt> and <tt>refind_local.cer</tt>), which can be
+ used to verify signed binaries' authenticity. The two public key files
+ are equivalent, but are used by different
+ tools—<tt>sbsigntool</tt> uses <tt>refind_local.crt</tt> to sign
+ binaries, but MokManager uses <tt>refind_local.cer</tt> to enroll the
+ key. If you used <tt>install.sh</tt>'s <tt>--localkeys</tt> option,
+ this step is unnecessary, since these keys have already been created
+ and are stored in <tt>/etc/refind.d/keys</tt>.</li>
+
+<li>Copy the three key files to a secure location and adjust permissions
+ such that only you can read <tt>refind_local.key</tt>. You'll need
+ these keys to sign future binaries, so don't discard them.</li>
+
+<li>Copy the <tt>refind_local.cer</tt> file to your ESP, ideally to a
+ location with few other files. (MokManager's user interface becomes
+ unreliable when browsing directories with lots of files.)</li>
+
+<li>Download and install the <tt>sbsigntool</tt> package. Binary links for
+ various distributions are available from the <a
+ href="https://build.opensuse.org/package/show?package=sbsigntools&project=home%3Ajejb1%3AUEFI">OpenSUSE
+ Build Service</a>, or you can obtain the source code by typing <tt
+ class="userinput">git clone
+ git://kernel.ubuntu.com/jk/sbsigntool</tt>.</li>
+
+<li>Sign your binary by typing <tt class="userinput">sbsign --key
+ refind_local.key --cert refind_local.crt --output <tt
+ class="variable">binary-signed.efi binary.efi</tt></tt>, adjusting the
+ paths to the keys and the binary names.</li>
+
+<li>Copy your signed binary to a suitable location on the ESP for rEFInd to
+ locate it. Be sure to include any support files that it needs,
+ too.</li>
+
+<li>Check your <tt>refind.conf</tt> file to ensure that the
+ <tt>showtools</tt> option is either commented out or includes
+ <tt>mok_tool</tt> among its options.</li>
+
+<li>Reboot. You can try launching the boot loader you just installed, but
+ chances are it will generate an <tt>Access Denied</tt> message. For it
+ to work, you must launch MokManager using the tool that rEFInd presents
+ on its second row. You can then enroll your <tt>refind_local.cer</tt>
+ key just as you enrolled the <tt>refind.cer</tt> key.</li>