Microsoft 2011 Cert Expire - older hardware?

gerry666uk · June 2, 2026, 9:19am

A certificate that is used on many machines is due to expire soon. This cert is in the firmware (bios), and is used for secure boot.

A friend has older hardware ASUS Z97M-PLUS, and there are no “bios” updates available. I need to upgrade this machine to Rocky 9.8 (which has a new shim).

Can I go ahead with the Rocky 9.8 upgrade, and does it matter if I do it a) before Jun 26 2026, or after that date? Once the shim is updated, will it still be able to boot using the old Microsoft 2011 cert?

Even on more recent hardware, I’m not sure how the newer 2023 cert gets onto the machine, e.g. bios update, or something like fwupd?

I’m looking at a more recent machine right now, and only see the old certs:

sudo mokutil --db
[key 3]
Not After : Jun 27 21:32:45 2026 GMT
CN=Microsoft Corporation UEFI CA 2011
[key 4]
Not After : Oct 19 18:51:42 2026 GMT
CN=Microsoft Windows Production PCA 2011
mokutil --kek
[key 2]
Not After : Jun 24 20:51:29 2026 GMT
CN=Microsoft Corporation KEK CA 2011

iwalker · June 2, 2026, 9:56am

I’m guessing, but if you aren’t booting into Windows, then the MS certs shouldn’t be a problem?

gerry666uk · June 2, 2026, 6:22pm

This is to do with linux, not windows. There’s a RHEL article about it.

https://developers.redhat.com/articles/2026/02/04/secure-boot-certificate-changes-2026-guidance-rhel-environments#

The are talking about dual signing of the shim, and then lower down it says “However, older systems might face issues…”

tqhoang · June 2, 2026, 11:40pm

I could be wrong, but for older systems that only have the Microsoft Secure Boot certs for 2011, you can only do a fresh install with a distro that has been signed with the 2011 keys.
Ex: EL <= 8.10 or EL <= 9.8 or EL <= 10.2

I believe the expiration date comes into play when Microsoft has to sign any updates to the SHIM bootloader. They can only use the valid cert (i.e. 2023 one).

gerry666uk · June 5, 2026, 6:44am

So it sounds like the big important step is try to get the new 2023 cert into the “bios” of any old and new physical machines?

How can I check the sigs on the shim, e.g. extract shim from Rocky 9.7, and Rocky 9.8, and then use command line to view the sigs (certs)?

Edit
Looks like ‘pesign’ is the command for checking sigs.

gerry666uk · June 5, 2026, 10:27am

I just found this official Rocky article about it, which gives a good explanation and what to look out for

https://rockylinux.org/news/2026-06-02-secure-boot-ca-kek-transition

Topic		Replies	Views
Invalid Signature Secure Boot - Latest Kernel Update Rocky Linux Help & Support	10	882	April 16, 2024
Post Install Enabling Secure Boot Rocky Linux Help & Support	6	5996	January 29, 2023
Rocky Linux 9.7 Rocky Linux Help & Support rocky-linux-9	5	339	December 3, 2025
Rocky 9.3, shim-x64, 15.8-2.el9 Rocky Linux Help & Support	19	1299	May 10, 2024
Secure Boot - latest shim status? Rocky Linux Help & Support	4	896	July 26, 2022

Microsoft 2011 Cert Expire - older hardware?

Related topics