Hey Rebecca!

We actually have the following repo on github/secureboot_objects where you can get Secure Boot default releases and ask questions directly to the team that manages secure boot at Microsoft.

To answer your question,

The 2011 certificates are expiring in 2026 so we're beginning a transition away from them.

The expiring certificates are:

DB: Microsoft Windows Production PCA 2011
DB: Microsoft Corporation UEFI CA 2011 (Third Party)
KEK: Microsoft Corporation KEK CA 2011

The new certificates are:

DB: Windows UEFI CA 2023
DB: Microsoft UEFI CA 2023 (Third Party)
DB: Microsoft Option ROM UEFI CA 2023 (Only Option Roms (New behavior meant to improve configurability))
KEK: Microsoft Corporation KEK 2K CA 2023

Right now the guidance is to include both sets of certificates to provide the most compatibility during the transition and then at a point further in the future we'll begin remove the 2011 certificates from the default.

_._,_._,_
Groups.io Links:

You receive all messages sent to this group.

View/Reply Online (#120736) | | Mute This Topic | New Topic
Your Subscription | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_