secure boot certificate expiration question

[Markus Klocker]

Hi,
does anyone know how a vmware VM or even a normal computer does behave
when the 2011 CA stored in the DB does expire and no 2023 cert was
installed in the UEFI db?
Does this machine boot or not?

Thank you in advance,
    Markus

[Wright, John M]

I assume we’re talking about the secure boot CA.  From my search:

 

“If devices fail to receive the new CA entries, they risk losing the ability to accept future DB/DBX/boot manager updates and could drift into a degraded pre‑boot security posture over time. Microsoft and OEMs are deliberately staging updates to avoid mass disruption; many modern devices shipped since 2024 already include the 2023 certificates in firmware.”

 

But to answer your question, every source I’ve found says the machines will still boot.

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Markus Klocker
Sent: Tuesday, May 12, 2026 5:32 AM
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] secure boot certificate expiration question

 

EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity.

Secured by Check Point

 

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/d26dfad0-2143-4285-b984-64c5d1e8d2db%40univie.ac.at.

[Wright, John M]

Something a little more authoritative:  https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e

 

“Devices that haven’t received the newer 2023 certificates will continue to start and operate normally, and standard Windows updates will continue to install. However, these devices will no longer be able to receive new security protections for the early boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations for newly discovered boot level vulnerabilities.”

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/SN7PR12MB67145E8D6E10F6C6348E01C591392%40SN7PR12MB6714.namprd12.prod.outlook.com.

[Markus Klocker]

I know that article. Thank you.
Sounds like having a security chip to enter a building which expires next week but you will still be able to enter the building to get you work done.
That just sounds somehow irritating to me even it is written there :).

    Markus

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/SN7PR12MB6714077B8A849C9363A76AD991392%40SN7PR12MB6714.namprd12.prod.outlook.com.

[Chris Brewer]

I think your analogy is a little backwards. Secure Boot is the card reader, not the security card itself. If you let it expire, you won't be able to let new employees into the building and you risk being unable to lock out terminated employees. Existing employees can still work.

Thanks,

Chris

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/be953fb6-60dd-490a-98c2-5b92039c3137%40univie.ac.at.

[Markus Klocker]

Maybe I have a knot in my brain.

Let's assume secure boot is the cardreader.
The bootloader would be the card. Right?

If that is true the card is still signed with a cert that is running out in June 2026.
What I do not get now is how the cardreader would validate the bootloader signed with a certificate that is not valid any more cause ist July now and the system for whatever reason did not receive any updates.
Please do enlighten me.

Thx
    Markus

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CANYDaP9Qqp-jMy2P%2B4bSsCz-BvoZ4jh3MKOrdvRH3Cb2EHvYNQ%40mail.gmail.com.

[Smith, Joel - smit33ja]

When code is signed, the signature includes a cryptographic timestamp. As long as the timestamp is before the certificate expired and the certificate has not been explicitly revoked, the signature will still validate.

Joel Smith
Senior Windows Systems Engineer
James Madison University
Check Real-Time JMU IT Systems Status

---

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of Markus Klocker <markus....@univie.ac.at>
Sent: Wednesday, May 13, 2026 2:05
To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: Re: [ntsysadmin] secure boot certificate expiration question

 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/08366578-65b7-4992-ad60-ec6b63e3137f%40univie.ac.at.

[Markus Klocker]

Aha! I new there must had been something I missed... 
Thank you for educating me!

Best
    Markus

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/MN6PR03MB7742D950C92CA6D08EF6BBF2DA062%40MN6PR03MB7742.namprd03.prod.outlook.com.