Hey Rebecca!

We actually have the following repo on [github/secureboot_objects](https://github.com/microsoft/secureboot_objects) where you can get Secure Boot default releases and ask questions directly to the team that manages secure boot at Microsoft.

To answer your question,

The 2011 certificates are expiring in 2026 so we're beginning a transition away from them.

The expiring certificates are:

```
DB: Microsoft Windows Production PCA 2011
DB: Microsoft Corporation UEFI CA 2011 (Third Party)
KEK: Microsoft Corporation KEK CA 2011 
```
The new certificates are:

```
DB: Windows UEFI CA 2023
DB: Microsoft UEFI CA 2023 (Third Party)
DB: Microsoft Option ROM UEFI CA 2023 (Only Option Roms (New behavior meant to improve configurability))
KEK: Microsoft Corporation KEK 2K CA 2023
```

Right now the guidance is to include both sets of certificates to provide the most compatibility during the transition and then at a point further in the future we'll begin remove the 2011 certificates from the default.




-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120736): https://edk2.groups.io/g/devel/message/120736
Mute This Topic: https://groups.io/mt/109402104/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-