Microsoft Community UEFI Secure Boot certificate expiring

13 views
Skip to first unread message

Jeff Squyres

unread,
Jul 22, 2025, 5:27:39 PMJul 22
to KYOSS Discuss List
This is quite interesting — I literally presented about the backstory of this in the last KYOSS meeting (and in a few prior KYOSS meetings, too).

It has to do with how the Microsoft Community certificate is in all desktop/laptop/server firmware these days, and is therefore used to sign the boot loader of many (most?) Linux distros so that you can boot that Linux kernel while your hardware/firmware is in UEFI Secure Boot mode.  It turns out that that certificate is going to expire soon.  Microsoft created a new one in 2023, but some vendors have been slow to update to include that new certificate in their firmware.

End result: if you’re using UEFI Secure Boot to boot your Linux, you should update your motherboard and/or BMC firmware when your vendor issues an update to include the new Microsoft community certificate.  Otherwise, UEFI Secure Boot will stop working (i.e., the Linux boot loader will fail to validate once the certificate expires, and UEFI Secure Boot will refuse to load that Linux boot loader).  Additionally, after you update your motherboard and/or BMC firmware to have the new Microsoft community certificate, you’ll need to update your Linux boot loader to a version that is signed by the new Microsoft community certificate.

I checked my own company’s products (Cisco UCS servers); looks like we are shipping BMC firmware that includes both the old and new Microsoft certificates.  Yay us!  🤓

The old Microsoft community certificate expires June 27, 2026.
The new Microsoft community certificate started June 13, 2023 (and expires June 13, 2038).

https://www.tomshardware.com/tech-industry/cyber-security/microsoft-signing-key-required-for-secure-boot-uefi-bootloader-expires-in-september-which-could-be-problematic-for-linux-users 

-- 
{+} Jeff Squyres

Michael Speer

unread,
Jul 22, 2025, 6:53:20 PMJul 22
to kyoss-...@kyoss.dev

Microsoft really missed their chance by not instead issuing the new cert on Jan 18th 2023 at around 22:14:07 EST


To unsubscribe from this group and stop receiving emails from it, send an email to kyoss-discus...@kyoss.dev.

Alan Blount

unread,
Jul 23, 2025, 10:31:32 PMJul 23
to kyoss-...@kyoss.dev
I'm getting Y2K vibes... is there some calendar or epoch counting system where "June 27, 2026" is a friendly round number?


Cheers,
-alan
I am a human person and I wrote the above message.


Deven Phillips

unread,
Jul 24, 2025, 12:52:05 AMJul 24
to KYOSS general discussion list
Alan,

    No, but it would expired at the same time as the 32bit Unix epoch in 2038 if rhe issue date was adjusted.

Deven 
Reply all
Reply to author
Forward
0 new messages