Skip to main content

Microsoft has announced that after 15 years, the Secure Boot certificates built into Windows systems are starting to expire. To stay protected and keep devices running smoothly, new certificates will need to be installed. These certificates form the foundation of trust for the operating system.

So, what exactly is Secure Boot?

Secure Boot is a security feature built into UEFI (Unified Extensible Firmware Interface) that ensures only trusted software is allowed to run when your computer starts up. It does this by checking the digital signature of each piece of boot software like drivers and the operating system against a list of trusted keys stored in the system’s firmware.

As an industry standard, Secure Boot defines how firmware manages these certificates, verifies firmware integrity, and how the operating system interacts with this process.

This whole trust system is based on Public Key Infrastructure (PKI), which uses Certificate Authorities (CAs) to manage and store digital certificates. These CAs which could be Microsoft, OEMs (Original Equipment Manufacturers), or their partners create the key pairs that act as the root of trust for the device, as shown in the diagram below.

 

To continue running Windows and receiving regular updates for your Secure Boot configuration, you will need to update these certificates.

  • KEK: Key Enrollment Key
  • CA: Certificate Authority
  • DB: Secure Boot Signature Database
  • DBX: Secure Boot Revoked Signature Database!

Update KEK and DBX for Secure boot

During the renewal of the Microsoft Corporation UEFI CA 2011 certificate, Microsoft introduced two separate certificates. One for bootloader signing and another for option ROM signing. This separation provides more granular control over what the system trusts during the boot process.

The key takeaway from my blog post is that I have done the heavy lifting by reviewing numerous Microsoft articles in order to help you clearly understand and correctly implement this safeguard.

In the following referenced article, you would learn all what you need to stay protected: Enable Secure Boot: Fix Secure Boot certificates expiration - TechDirectArchive

As you can see from the formal DB update I have performed, the certificate chain includes the new Windows UEFI CA 2023

 

nice guide thx for share ;) 


Wow did not realize this.  Thanks for sharing.


nice guide thx for share ;) 

Thank you, ​@Link State


Wow did not realize this.  Thanks for sharing.

You are welcome 


Great heads up, ​@Iams3le. Thanks for sharing. 


Great heads up, ​@Iams3le. Thanks for sharing. 

You are welcome 


Thank you ​@Iams3le for sharing this guide with clear details.


Thank you ​@Iams3le for sharing this guide with clear details.

Cheers!


This is great, thanks for the share ​@Iams3le 👏

 


This is great, thanks for the share ​@Iams3le 👏

 

Appreciate your kind words! 


Great job, thanks for share


Great job, thanks for share

You are welcome 


Comment