More experienced users may stifle a laugh here 
but I'm perplexed by the recent coverage of Microsoft UEFI certificates expiring soon. This is dark magic for me - the boot menu has always scared me because it's software outside my knowledge and control, so I leave it well alone. I was running W11 until November, when I wiped Windows completely and installed Zorin 18.
I've read an article saying that Linux reads Microsoft certificates. Is this true, or does a Linux installation install new certificates? If not, am I relying on certificates which will soon expire, and what would be the effect of that? Is it safer just to switch secure boot off altogether, given that I'm the sole user of my laptop and install only from proper sources?
1 Like
have you checked the firmware update utility
menu > accessories > firmware
which should give you the option to update
if that is not available then it will be most likely a BIOS update that is needed.
documentation here
update secure boot certs here
https://www.cyberciti.biz/faq/update-ca-certificates-command-examples-in-linux-to-ssl-ca-certificates/
my system has the secure boot 2023 certs updated.
best of luck Steve ..
1 Like
Here is an article in German, please translate it with your browser.
1 Like
The issue is not a new one. I could only find enterprise advice that related to the expiry last year:
Using Brave A.I. search via Mojeek search gives:
" Secure Boot certificate expiry in June 2026 primarily affects systems relying on the Microsoft 2011 UEFI CA certificate , which expires on June 27, 2026 . However, existing Linux systems that boot successfully today will continue to boot after the expiry , as the expiration only impacts the ability to sign new boot components, not already trusted ones.
For Linux systems , the key impact is on future updates to the bootloader or shim. If a system cannot update its Secure Boot database (DB) with the new Microsoft UEFI CA 2023 certificate , a future shim update signed with the 2023 key may fail to boot. This affects long-lived systems that cannot receive firmware updates.
Red Hat Enterprise Linux (RHEL) systems are addressed through planned updates:
- Red Hat will release new shims signed with the 2023 certificate starting with RHEL 9.7 , after validation.
- Systems with the 2011 certificate already enrolled will remain bootable.
- Virtual machines using OVMF firmware must have updated
edk2-ovmfpackages (RHEL 10:edk2-ovmf-20241117-2.el10.noarchand later; RHEL 9:edk2-ovmf-20231122-6.el9.noarchand later) to inherit the new certificates.
Recommendations :
- Check Secure Boot status : Use
mokutil --sb-stateandmokutil --dbto verify enabled status and enrolled keys. - Avoid manual DB updates βwait for guidance from your hardware vendor (e.g., HP, Fujitsu block standalone updates).
- Use LVFS (
fwupdmgr update) to install firmware updates from your hardware vendor. - For dual-boot systems with Windows , Microsoft will update the certificates for Linux bootloaders.
- Systems with Secure Boot disabled are not affected .
Note : This is not a system-wide outage. Most users will see no disruption if they keep systems updated and avoid manual intervention.
AI-generated answer. Please verify critical facts."
1 Like
"please translate it" Nah, it's only UEFI that I don't speak - my German is fine... 
Thank you. Reassuring in some ways, worrying in others.
1 Like
Thanks for this. AI is just so very confident in its advice until it says right at the end "You can't trust anything I say".
I got some interesting info. MS certificate expiring 19 Oct 2026, another June 27, an Acer cert valid until 2033, Linpus valid until 2112 (that should be long enough...), another Linpus valid until 2048, and a Quanta valid until 2039.
It looks as if I have time to do more investigation, so I'll leave things as they are. By June if I haven't seen any new certs supplied I'll probably switch off Secure Boot just to be on the safe side. I'd rather take a tiny risk of someone being interested enough to hijack my device than the larger risk of bricking it.
1 Like
Thanks, Steve. I see the very first line in the updates page says "Difficulty level: Easy", but messing with things I don't understand is risking a brick... I'll have a good read to see if I can eventually wrap my head round it all, but for the moment I'll take the pragmatic "If it ain't broke" path.
If I am not mistaken, that last line was added by Swarf, not AI.
If it was inserted by AI, then it must have been trained by reading Douglas Adams' "The Hitchhiker's Guide to the Galaxy." ref Marvin the Paranoid Android. 
2 Likes
No, there are Acer Windows recovery images, but no BIOS images that I can find. I'll check my BIOS again in case there's a "BIOS backup" that I missed. Thanks for the suggestion.
ASUS motherboards give you the option to create backups to USB, as well as MOK keys.
1 Like
I received a Win 11 secure boot update on 2/25 as part of a preview update. I'm currently on the Zorin drive with secure boot enabled and haven't experienced any difficulties. I booted into Zorin immediately when I saw the update just to see if there were any problems. This is a dual drive dual boot home built MSI desktop.
Update: Secure Boot Allowed Key Exchange Key (KEK) Update
1 Like
I have installed Zorin OS on 3 laptops (1 HP ZBook, 2 Lenovo ThinkPads) and in all cases I followed instructions to disable Secure Boot before installation. This remains disabled. What is the situation for computers running Linux only (not dual boot, no virtual machine) with Secure Boot continuing to be disabled?
I've just watched this very helpful video from the excellent Christopher Barnatt:
It explains what the situation is, how to check and how to take action if necessary. I've disabled Secure Boot, but following his instructions I've established that I have the new Microsoft certificates already.
1 Like
I am happy that this video helped you out. I have watched this video, and it does not really help me out. At 16:12, he starts discussing GNU+Linux. But the commands that he mentions does not help me update the old certificates.
This is the terminal output for his commands. If someone can look at this and give advice, I would very much appreciate it.
~$ sudo mokutil --sb-state
SecureBoot enabled~$ sudo mokutil --kek
[sudo] password for user:
[key 1]
SHA1 Fingerprint: d4:88:46:08:ae:a4:42:43:3c:f0:6e:5a:21:64:bf:f8:d3:d3:10:d6
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
27:9b:ad:52:bf:5d:ab:b2:4c:36:77:42:f4:eb:ac:cd
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Texas, L=Round Rock, O=Dell Inc., CN=Dell Inc. Platform Key
Validity
Not Before: Jun 1 20:22:48 2016 GMT
Not After : Jun 1 20:32:47 2023 GMT
Subject: C=US, ST=Texas, L=Round Rock, O=Dell Inc., CN=Dell Inc. Key Exchange Key
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:8d:9d:3b:a5:41:29:4c:42:8b:ac:ef:9a:66:
2d:9c:33:8a:e0:ce:f2:11:49:f5:7d:63:e2:90:b0:
e6:ec:ff:dd:dc:66:30:5b:0b:8d:8f:82:df:55:c6:
e0:fa:ad:9e:3c:ff:80:fe:d5:69:95:e8:ef:f7:ce:
40:5f:28:b5:e4:6f:9c:4a:f2:8d:41:40:b7:99:c0:
9e:33:53:f0:a4:48:70:92:04:a8:36:74:4a:59:62:
0e:f4:b2:a5:8e:31:f3:f6:64:8e:81:1b:06:a1:78:
bc:a2:78:20:83:93:4e:f4:08:a3:30:06:0f:f5:9a:
d9:c1:33:85:aa:41:0e:96:fb:73:8f:be:ac:75:da:
fb:5c:48:68:49:1b:f4:b6:fe:9e:b0:dc:d4:ea:89:
8d:4e:f6:46:59:83:14:8a:a2:c8:6a:79:91:5f:fa:
07:f2:e6:56:70:a7:2e:e8:31:ff:f5:72:93:1a:d9:
c3:1e:6b:c4:a0:f1:5d:5e:94:2e:c6:5c:1b:1a:f2:
a9:ae:fe:8b:5a:b4:c2:0f:dd:bc:f1:bd:f4:1c:01:
7a:be:a9:a4:f3:99:35:33:a9:65:3c:77:28:0c:c1:
a0:05:40:f2:d7:f4:81:36:01:8f:2b:39:b8:bc:fb:
06:0a:07:66:ff:a9:41:d1:14:5e:51:06:db:b1:79:
79:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Authority Key Identifier:
46:6F:90:1C:10:20:52:99:56:15:EF:39:FD:48:18:48:CF:75:E6:A4
X509v3 Subject Key Identifier:
07:07:F4:95:10:D4:D7:7B:CF:DD:98:63:B5:FE:3C:60:72:A0:EA:72
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
20:87:20:05:f6:5c:25:d7:43:b5:6f:55:02:cf:91:3d:51:de:
c0:cc:9a:bc:94:a2:8c:a2:ca:5e:f1:bf:7d:04:dd:0e:11:6c:
18:87:de:66:4d:6d:65:28:24:73:a2:b9:1f:d9:4a:cb:4f:42:
2b:b8:14:de:43:12:f5:e3:1b:dc:8a:b7:aa:40:84:e4:1e:9c:
f6:29:e5:d9:dc:76:47:5a:af:ec:5b:87:7c:69:c0:c8:e2:1c:
fc:2d:0e:9d:b5:42:45:38:51:70:00:96:ad:98:4a:dd:73:ea:
81:51:af:47:7a:2e:84:af:72:d4:35:e4:8d:36:1a:4d:79:fc:
f5:8e:6b:0b:1a:a8:14:72:83:f2:aa:77:70:35:7f:b1:c6:3a:
84:d7:e4:a8:8f:6f:83:49:bb:76:8b:63:78:79:d6:1d:92:bc:
2c:ce:12:39:ed:50:d0:ec:d9:e8:8b:7f:f7:90:37:50:30:11:
63:2a:72:59:57:e9:65:23:93:c5:e8:e8:ed:41:45:ac:5e:af:
d2:eb:b5:7a:6f:74:ce:df:f6:4e:b0:62:09:94:9d:cc:09:dd:
f5:68:a3:18:c4:32:9f:13:40:65:cf:67:6d:98:f3:d5:c3:11:
af:b4:8a:4b:95:49:06:42:0e:86:57:48:7b:eb:aa:ae:2c:07:
54:96:6b:36
[key 2]
SHA1 Fingerprint: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:0a:d1:88:00:00:00:00:00:03
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
Validity
Not Before: Jun 24 20:41:29 2011 GMT
Not After : Jun 24 20:51:29 2026 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c4:e8:b5:8a:bf:ad:57:26:b0:26:c3:ea:e7:fb:
57:7a:44:02:5d:07:0d:da:4a:e5:74:2a:e6:b0:0f:
ec:6d:eb:ec:7f:b9:e3:5a:63:32:7c:11:17:4f:0e:
e3:0b:a7:38:15:93:8e:c6:f5:e0:84:b1:9a:9b:2c:
e7:f5:b7:91:d6:09:e1:e2:c0:04:a8:ac:30:1c:df:
48:f3:06:50:9a:64:a7:51:7f:c8:85:4f:8f:20:86:
ce:fe:2f:e1:9f:ff:82:c0:ed:e9:cd:ce:f4:53:6a:
62:3a:0b:43:b9:e2:25:fd:fe:05:f9:d4:c4:14:ab:
11:e2:23:89:8d:70:b7:a4:1d:4d:ec:ae:e5:9c:fa:
16:c2:d7:c1:cb:d4:e8:c4:2f:e5:99:ee:24:8b:03:
ec:8d:f2:8b:ea:c3:4a:fb:43:11:12:0b:7e:b5:47:
92:6c:dc:e6:04:89:eb:f5:33:04:eb:10:01:2a:71:
e5:f9:83:13:3c:ff:25:09:2f:68:76:46:ff:ba:4f:
be:dc:ad:71:2a:58:aa:fb:0e:d2:79:3d:e4:9b:65:
3b:cc:29:2a:9f:fc:72:59:a2:eb:ae:92:ef:f6:35:
13:80:c6:02:ec:e4:5f:cc:9d:76:cd:ef:63:92:c1:
af:79:40:84:79:87:7f:e3:52:a8:e8:9d:7b:07:69:
8f:15
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
62:FC:43:CD:A0:3E:A4:CB:67:12:D2:5B:D9:55:AC:7B:CC:B6:8A:5F
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
45:66:52:43:E1:7E:58:11:BF:D6:4E:9E:23:55:08:3B:3A:22:6A:A8
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.microsoft.com/pki/crl/products/MicCorThiParMarRoo_2010-10-05.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
d4:84:88:f5:14:94:18:02:ca:2a:3c:fb:2a:92:1c:0c:d7:a0:
d1:f1:e8:52:66:a8:ee:a2:b5:75:7a:90:00:aa:2d:a4:76:5a:
ea:79:b7:b9:37:6a:51:7b:10:64:f6:e1:64:f2:02:67:be:f7:
a8:1b:78:bd:ba:ce:88:58:64:0c:d6:57:c8:19:a3:5f:05:d6:
db:c6:d0:69:ce:48:4b:32:b7:eb:5d:d2:30:f5:c0:f5:b8:ba:
78:07:a3:2b:fe:9b:db:34:56:84:ec:82:ca:ae:41:25:70:9c:
6b:e9:fe:90:0f:d7:96:1f:e5:e7:94:1f:b2:2a:0c:8d:4b:ff:
28:29:10:7b:f7:d7:7c:a5:d1:76:b9:05:c8:79:ed:0f:90:92:
9c:c2:fe:df:6f:7e:6c:0f:7b:d4:c1:45:dd:34:51:96:39:0f:
e5:5e:56:d8:18:05:96:f4:07:a6:42:b3:a0:77:fd:08:19:f2:
71:56:cc:9f:86:23:a4:87:cb:a6:fd:58:7e:d4:69:67:15:91:
7e:81:f2:7f:13:e5:0d:8b:8a:3c:87:84:eb:e3:ce:bd:43:e5:
ad:2d:84:93:8e:6a:2b:5a:7c:44:fa:52:aa:81:c8:2d:1c:bb:
e0:52:df:00:11:f8:9a:3d:c1:60:b0:e1:33:b5:a3:88:d1:65:
19:0a:1a:e7:ac:7c:a4:c1:82:87:4e:38:b1:2f:0d:c5:14:87:
6f:fd:8d:2e:bc:39:b6:e7:e6:c3:e0:e4:cd:27:84:ef:94:42:
ef:29:8b:90:46:41:3b:81:1b:67:d8:f9:43:59:65:cb:0d:bc:
fd:00:92:4f:f4:75:3b:a7:a9:24:fc:50:41:40:79:e0:2d:4f:
0a:6a:27:76:6e:52:ed:96:69:7b:af:0f:f7:87:05:d0:45:c2:
ad:53:14:81:1f:fb:30:04:aa:37:36:61:da:4a:69:1b:34:d8:
68:ed:d6:02:cf:6c:94:0c:d3:cf:6c:22:79:ad:b1:f0:bc:03:
a2:46:60:a9:c4:07:c2:21:82:f1:fd:f2:e8:79:32:60:bf:d8:
ac:a5:22:14:4b:ca:c1:d8:4b:eb:7d:3f:57:35:b2:e6:4f:75:
b4:b0:60:03:22:53:ae:91:79:1d:d6:9b:41:1f:15:86:54:70:
b2:de:0d:35:0f:7c:b0:34:72:ba:97:60:3b:f0:79:eb:a2:b2:
1c:5d:a2:16:b8:87:c5:e9:1b:f6:b5:97:25:6f:38:9f:e3:91:
fa:8a:79:98:c3:69:0e:b7:a3:1c:20:05:97:f8:ca:14:ae:00:
d7:c4:f3:c0:14:10:75:6b:34:a0:1b:b5:99:60:f3:5c:b0:c5:
57:4e:36:d2:32:84:bf:9e~$ sudo mokutil --db
[key 1]
SHA1 Fingerprint: f1:18:70:35:32:b3:70:16:4b:6c:38:72:c0:18:dd:68:a9:fe:8a:2d
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1d:6d:95:90:d4:80:8c:8e:4f:82:a0:08:9a:16:fe:39
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=USA, ST=TX, L=Round Rock, O=Dell Inc., CN=Dell Bios Key Exchange Key
Validity
Not Before: Aug 9 23:04:36 2018 GMT
Not After : Aug 9 23:14:36 2028 GMT
Subject: C=USA, ST=TX, L=Round Rock, O=Dell Inc., CN=Dell Bios DB Key
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b7:47:86:bc:e8:73:0c:d1:07:3d:e4:7f:7b:2d:
c0:ed:be:c0:82:54:59:19:43:56:b7:db:ee:f9:28:
15:3e:24:4f:59:23:2f:02:3d:0a:91:1d:f2:46:6d:
46:16:fa:65:d8:23:11:1f:c6:e0:b8:14:92:dc:0f:
71:cc:a9:64:7a:51:e9:73:6b:89:58:ab:6e:e1:59:
0e:84:0c:29:ea:47:7f:62:cc:60:c6:e7:69:55:b5:
f9:48:0f:46:41:a7:e0:d1:d7:2e:84:71:ad:6e:44:
5d:9c:86:1e:6a:66:64:54:46:d3:14:d0:de:34:a0:
a8:99:18:b5:46:95:ea:7f:5a:b3:e0:b4:80:e4:8d:
29:a3:11:37:16:34:ba:f8:bf:2f:9d:de:5c:d3:37:
76:2d:33:74:a3:f3:c9:26:07:06:42:5a:9b:db:1d:
b0:aa:f1:02:e7:aa:d0:59:ca:ba:bd:e5:5c:25:66:
91:8f:d0:11:d9:22:d1:f1:cf:16:bd:9e:51:56:b3:
e4:d7:6c:42:b0:aa:dc:69:ed:a3:5c:cd:51:b9:0d:
b1:bf:c6:db:02:e6:f5:52:48:87:51:1f:e0:a1:f7:
89:78:f8:c0:c7:80:11:a1:5a:79:9c:3c:ed:11:6a:
14:a0:f3:ca:75:a8:6e:fd:b1:51:f4:12:fd:9c:a4:
3b:69
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
89:0C:0E:45:7D:3A:78:1E:B9:17:7E:5A:D0:56:6A:A7:71:3F:5F:EB
X509v3 Subject Key Identifier:
63:7F:A7:A9:F7:44:71:B4:06:DE:05:11:55:70:71:FD:41:DD:54:87
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
1a:77:ea:fa:9b:80:24:18:6d:c9:08:f5:90:59:00:9c:7e:c1:
e9:16:03:e8:ee:9f:99:d8:e9:ad:ca:54:f1:ff:02:1e:1b:3c:
14:d8:d9:aa:59:35:e8:6b:e5:07:fa:95:1e:97:8f:5a:12:61:
2b:01:0d:66:f7:88:51:b6:0d:8f:56:4e:c1:ef:16:4e:82:9a:
cd:10:cc:b1:5d:6b:52:c5:02:87:0a:26:a9:4f:ec:93:f3:5f:
71:b6:39:1f:a2:cc:87:cb:ec:df:88:22:f7:3b:9b:70:4c:39:
d1:c7:dd:5f:0c:da:c4:59:76:8e:a4:e7:31:53:45:88:80:6c:
c2:fc:e5:76:01:85:7d:9c:ce:1c:82:cd:57:7d:cd:df:a5:dd:
59:83:52:74:92:de:49:4a:49:ca:b4:2f:94:8d:20:8b:e5:f5:
92:63:6b:f3:e0:01:3e:b5:6b:b0:c8:6a:b4:f8:e4:27:09:7d:
85:8b:a0:09:b5:ad:18:32:53:3c:df:9a:82:dc:e4:93:95:af:
2f:a9:9d:18:aa:30:cd:be:6b:63:e8:5c:27:37:43:7f:d1:d2:
19:1b:26:1c:4d:ea:78:07:e5:6f:24:d6:c9:60:a7:65:f7:22:
b7:1e:29:1c:1b:e5:30:39:d3:99:eb:be:da:ab:7a:2d:2d:3c:
c3:06:e7:33
[key 2]
SHA1 Fingerprint: 09:4c:ce:c8:5b:ba:a1:60:b8:ee:02:96:be:a2:4f:d7:c3:a3:eb:08
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
22:58:4d:1f:85:7b:55:bc:4c:e1:e6:f0:bd:f7:be:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=USA, ST=TX, L=Round Rock, O=Dell Inc., CN=Dell Bios Key Exchange Key
Validity
Not Before: Dec 11 21:59:23 2018 GMT
Not After : Dec 11 22:09:23 2028 GMT
Subject: C=USA, ST=TX, L=Round Rock, O=Dell Inc., CN=Dell Bios FW Aux Authority 2018
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cb:91:eb:3c:8c:de:31:00:62:4e:51:07:86:7f:
f5:6f:fb:40:97:aa:50:9f:31:ca:ba:2d:89:51:24:
75:92:b0:c9:77:d6:1b:95:44:21:d0:a5:8f:38:f0:
44:bb:f4:47:0c:95:ba:d0:db:55:08:6c:de:e9:49:
3a:02:08:0c:f3:be:03:db:24:0a:27:91:d9:68:86:
ff:ff:0c:32:91:eb:ac:49:39:af:ae:f9:26:ea:ba:
3d:51:12:74:7f:c2:88:ad:43:27:22:b7:e7:f6:e3:
0e:b4:f3:6b:d5:c0:e7:c5:09:92:5c:54:03:2a:1e:
57:8b:17:73:a9:81:5f:d4:55:83:0b:0d:b0:9d:99:
9a:11:74:dc:2e:85:99:5a:14:3b:e9:71:95:1b:ba:
4f:01:14:1f:d9:82:69:5c:67:7e:9a:74:0f:f8:9b:
0d:5e:11:de:e4:b2:38:83:45:50:91:cc:38:c6:55:
cb:d2:bd:86:20:25:dc:63:30:7e:f2:5b:4e:c6:d6:
b5:80:c0:29:e1:0c:a1:3b:e5:c6:7a:35:55:12:3b:
4e:56:91:b2:49:57:3b:c2:7f:67:01:9f:eb:9f:01:
20:52:4d:58:ba:ab:4e:f3:47:08:fb:2c:07:ee:80:
22:d3:2d:13:3f:41:a5:b0:71:a6:08:15:ce:ad:12:
5f:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
89:0C:0E:45:7D:3A:78:1E:B9:17:7E:5A:D0:56:6A:A7:71:3F:5F:EB
X509v3 Subject Key Identifier:
DD:4D:F7:C3:F5:CE:7E:5A:77:84:79:15:AB:C3:7B:03:1F:6B:10:BD
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
07:d0:dc:69:9d:aa:23:8f:67:24:f4:b1:cf:76:9d:49:d1:0c:
ec:aa:d3:0a:a4:7e:6e:d1:aa:83:53:65:6e:01:58:5e:a8:da:
f0:d7:e7:f7:41:76:a0:f8:fb:4b:9f:fd:a5:dc:16:d2:60:1e:
b7:67:38:47:0b:df:43:fd:1e:09:ae:8f:fd:61:8a:20:4f:e3:
6a:36:3a:42:66:c1:60:04:17:80:aa:3c:c1:44:57:91:90:5c:
cf:03:1c:0d:b2:26:84:5a:44:5a:a0:93:04:81:7b:96:02:b2:
a2:6f:1c:d2:0f:0a:1e:65:25:18:47:1f:bf:27:f6:d6:dc:ce:
07:69:ba:21:f7:31:59:85:c0:8f:c3:37:c7:56:8a:88:12:02:
55:33:ec:23:0a:27:dc:a2:db:bd:92:7e:81:46:c9:b0:b8:60:
c1:3f:70:0e:be:86:33:23:a6:00:e4:39:bf:86:ce:27:13:f1:
65:7d:33:36:ac:c5:47:c2:5e:b0:ab:8d:04:93:14:93:ba:0c:
74:fb:14:c7:7b:9f:84:dc:ad:ca:a5:b7:32:d6:41:55:ca:5d:
21:d9:a1:a5:1d:a1:d0:7c:40:ad:c8:b4:ea:8b:4b:08:1b:62:
d6:0d:3c:99:d8:91:bb:16:69:2a:00:bb:56:68:1a:9c:14:68:
a1:f0:a2:8d
[key 3]
SHA1 Fingerprint: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:07:76:56:00:00:00:00:00:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
Validity
Not Before: Oct 19 18:41:42 2011 GMT
Not After : Oct 19 18:51:42 2026 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:dd:0c:bb:a2:e4:2e:09:e3:e7:c5:f7:96:69:bc:
00:21:bd:69:33:33:ef:ad:04:cb:54:80:ee:06:83:
bb:c5:20:84:d9:f7:d2:8b:f3:38:b0:ab:a4:ad:2d:
7c:62:79:05:ff:e3:4a:3f:04:35:20:70:e3:c4:e7:
6b:e0:9c:c0:36:75:e9:8a:31:dd:8d:70:e5:dc:37:
b5:74:46:96:28:5b:87:60:23:2c:bf:dc:47:a5:67:
f7:51:27:9e:72:eb:07:a6:c9:b9:1e:3b:53:35:7c:
e5:d3:ec:27:b9:87:1c:fe:b9:c9:23:09:6f:a8:46:
91:c1:6e:96:3c:41:d3:cb:a3:3f:5d:02:6a:4d:ec:
69:1f:25:28:5c:36:ff:fd:43:15:0a:94:e0:19:b4:
cf:df:c2:12:e2:c2:5b:27:ee:27:78:30:8b:5b:2a:
09:6b:22:89:53:60:16:2c:c0:68:1d:53:ba:ec:49:
f3:9d:61:8c:85:68:09:73:44:5d:7d:a2:54:2b:dd:
79:f7:15:cf:35:5d:6c:1c:2b:5c:ce:bc:9c:23:8b:
6f:6e:b5:26:d9:36:13:c3:4f:d6:27:ae:b9:32:3b:
41:92:2c:e1:c7:cd:77:e8:aa:54:4e:f7:5c:0b:04:
87:65:b4:43:18:a8:b2:e0:6d:19:77:ec:5a:24:fa:
48:03
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
A9:29:02:39:8E:16:C4:97:78:CD:90:F9:9E:4F:9A:E1:7C:55:AF:53
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
D5:F6:56:CB:8F:E8:A2:5C:62:68:D1:3D:94:90:5B:D7:CE:9A:18:C4
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
14:fc:7c:71:51:a5:79:c2:6e:b2:ef:39:3e:bc:3c:52:0f:6e:
2b:3f:10:13:73:fe:a8:68:d0:48:a6:34:4d:8a:96:05:26:ee:
31:46:90:61:79:d6:ff:38:2e:45:6b:f4:c0:e5:28:b8:da:1d:
8f:8a:db:09:d7:1a:c7:4c:0a:36:66:6a:8c:ec:1b:d7:04:90:
a8:18:17:a4:9b:b9:e2:40:32:36:76:c4:c1:5a:c6:bf:e4:04:
c0:ea:16:d3:ac:c3:68:ef:62:ac:dd:54:6c:50:30:58:a6:eb:
7c:fe:94:a7:4e:8e:f4:ec:7c:86:73:57:c2:52:21:73:34:5a:
f3:a3:8a:56:c8:04:da:07:09:ed:f8:8b:e3:ce:f4:7e:8e:ae:
f0:f6:0b:8a:08:fb:3f:c9:1d:72:7f:53:b8:eb:be:63:e0:e3:
3d:31:65:b0:81:e5:f2:ac:cd:16:a4:9f:3d:a8:b1:9b:c2:42:
d0:90:84:5f:54:1d:ff:89:ea:ba:1d:47:90:6f:b0:73:4e:41:
9f:40:9f:5f:e5:a1:2a:b2:11:91:73:8a:21:28:f0:ce:de:73:
39:5f:3e:ab:5c:60:ec:df:03:10:a8:d3:09:e9:f4:f6:96:85:
b6:7f:51:88:66:47:19:8d:a2:b0:12:3d:81:2a:68:05:77:bb:
91:4c:62:7b:b6:c1:07:c7:ba:7a:87:34:03:0e:4b:62:7a:99:
e9:ca:fc:ce:4a:37:c9:2d:a4:57:7c:1c:fe:3d:dc:b8:0f:5a:
fa:d6:c4:b3:02:85:02:3a:ea:b3:d9:6e:e4:69:21:37:de:81:
d1:f6:75:19:05:67:d3:93:57:5e:29:1b:39:c8:ee:2d:e1:cd:
e4:45:73:5b:d0:d2:ce:7a:ab:16:19:82:46:58:d0:5e:9d:81:
b3:67:af:6c:35:f2:bc:e5:3f:24:e2:35:a2:0a:75:06:f6:18:
56:99:d4:78:2c:d1:05:1b:eb:d0:88:01:9d:aa:10:f1:05:df:
ba:7e:2c:63:b7:06:9b:23:21:c4:f9:78:6c:e2:58:17:06:36:
2b:91:12:03:cc:a4:d9:f2:2d:ba:f9:94:9d:40:ed:18:45:f1:
ce:8a:5c:6b:3e:ab:03:d3:70:18:2a:0a:6a:e0:5f:47:d1:d5:
63:0a:32:f2:af:d7:36:1f:2a:70:5a:e5:42:59:08:71:4b:57:
ba:7e:83:81:f0:21:3c:f4:1c:c1:c5:b9:90:93:0e:88:45:93:
86:e9:b1:20:99:be:98:cb:c5:95:a4:5d:62:d6:a0:63:08:20:
bd:75:10:77:7d:3d:f3:45:b9:9f:97:9f:cb:57:80:6f:33:a9:
04:cf:77:a4:62:1c:59:7e
[key 4]
SHA1 Fingerprint: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:08:d3:c4:00:00:00:00:00:04
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
Validity
Not Before: Jun 27 21:22:45 2011 GMT
Not After : Jun 27 21:32:45 2026 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a5:08:6c:4c:c7:45:09:6a:4b:0c:a4:c0:87:7f:
06:75:0c:43:01:54:64:e0:16:7f:07:ed:92:7d:0b:
b2:73:bf:0c:0a:c6:4a:45:61:a0:c5:16:2d:96:d3:
f5:2b:a0:fb:4d:49:9b:41:80:90:3c:b9:54:fd:e6:
bc:d1:9d:c4:a4:18:8a:7f:41:8a:5c:59:83:68:32:
bb:8c:47:c9:ee:71:bc:21:4f:9a:8a:7c:ff:44:3f:
8d:8f:32:b2:26:48:ae:75:b5:ee:c9:4c:1e:4a:19:
7e:e4:82:9a:1d:78:77:4d:0c:b0:bd:f6:0f:d3:16:
d3:bc:fa:2b:a5:51:38:5d:f5:fb:ba:db:78:02:db:
ff:ec:0a:1b:96:d5:83:b8:19:13:e9:b6:c0:7b:40:
7b:e1:1f:28:27:c9:fa:ef:56:5e:1c:e6:7e:94:7e:
c0:f0:44:b2:79:39:e5:da:b2:62:8b:4d:bf:38:70:
e2:68:24:14:c9:33:a4:08:37:d5:58:69:5e:d3:7c:
ed:c1:04:53:08:e7:4e:b0:2a:87:63:08:61:6f:63:
15:59:ea:b2:2b:79:d7:0c:61:67:8a:5b:fd:5e:ad:
87:7f:ba:86:67:4f:71:58:12:22:04:22:22:ce:8b:
ef:54:71:00:ce:50:35:58:76:95:08:ee:6a:b1:a2:
01:d5
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.1:
.....
1.3.6.1.4.1.311.21.2:
....k..wSJ.%7.N.&{. p.
X509v3 Subject Key Identifier:
13:AD:BF:43:09:BD:82:70:9C:8C:D5:4F:31:6E:D5:22:98:8A:1B:D4
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
45:66:52:43:E1:7E:58:11:BF:D6:4E:9E:23:55:08:3B:3A:22:6A:A8
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.microsoft.com/pki/crl/products/MicCorThiParMarRoo_2010-10-05.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
35:08:42:ff:30:cc:ce:f7:76:0c:ad:10:68:58:35:29:46:32:
76:27:7c:ef:12:41:27:42:1b:4a:aa:6d:81:38:48:59:13:55:
f3:e9:58:34:a6:16:0b:82:aa:5d:ad:82:da:80:83:41:06:8f:
b4:1d:f2:03:b9:f3:1a:5d:1b:f1:50:90:f9:b3:55:84:42:28:
1c:20:bd:b2:ae:51:14:c5:c0:ac:97:95:21:1c:90:db:0f:fc:
77:9e:95:73:91:88:ca:bd:bd:52:b9:05:50:0d:df:57:9e:a0:
61:ed:0d:e5:6d:25:d9:40:0f:17:40:c8:ce:a3:4a:c2:4d:af:
9a:12:1d:08:54:8f:bd:c7:bc:b9:2b:3d:49:2b:1f:32:fc:6a:
21:69:4f:9b:c8:7e:42:34:fc:36:06:17:8b:8f:20:40:c0:b3:
9a:25:75:27:cd:c9:03:a3:f6:5d:d1:e7:36:54:7a:b9:50:b5:
d3:12:d1:07:bf:bb:74:df:dc:1e:8f:80:d5:ed:18:f4:2f:14:
16:6b:2f:de:66:8c:b0:23:e5:c7:84:d8:ed:ea:c1:33:82:ad:
56:4b:18:2d:f1:68:95:07:cd:cf:f0:72:f0:ae:bb:dd:86:85:
98:2c:21:4c:33:2b:f0:0f:4a:f0:68:87:b5:92:55:32:75:a1:
6a:82:6a:3c:a3:25:11:a4:ed:ad:d7:04:ae:cb:d8:40:59:a0:
84:d1:95:4c:62:91:22:1a:74:1d:8c:3d:47:0e:44:a6:e4:b0:
9b:34:35:b1:fa:b6:53:a8:2c:81:ec:a4:05:71:c8:9d:b8:ba:
e8:1b:44:66:e4:47:54:0e:8e:56:7f:b3:9f:16:98:b2:86:d0:
68:3e:90:23:b5:2f:5e:8f:50:85:8d:c6:8d:82:5f:41:a1:f4:
2e:0d:e0:99:d2:6c:75:e4:b6:69:b5:21:86:fa:07:d1:f6:e2:
4d:d1:da:ad:2c:77:53:1e:25:32:37:c7:6c:52:72:95:86:b0:
f1:35:61:6a:19:f5:b2:3b:81:50:56:a6:32:2d:fe:a2:89:f9:
42:86:27:18:55:a1:82:ca:5a:9b:f8:30:98:54:14:a6:47:96:
25:2f:c8:26:e4:41:94:1a:5c:02:3f:e5:96:e3:85:5b:3c:3e:
3f:bb:47:16:72:55:e2:25:22:b1:d9:7b:e7:03:06:2a:a3:f7:
1e:90:46:c3:00:0d:d6:19:89:e3:0e:35:27:62:03:71:15:a6:
ef:d0:27:a0:a0:59:37:60:f8:38:94:b8:e0:78:70:f8:ba:4c:
86:87:94:f6:e0:ae:02:45:ee:65:c2:b6:a3:7e:69:16:75:07:
92:9b:f5:a6:bc:59:83:58~$ sudo fwupdmgr update
Devices with no available firmware updates:
β’ Touch Controller Sensor
β’ 670p SSDPEKNU512GZ NVMe INTEL 512GB
β’ BIOS1
β’ TPM
β’ UEFI Device Firmware
β’ UEFI Device Firmware
β’ UEFI dbx
β’ USB2.0 Hub
β’ WDC WD40NDZW-11BCVS1
Devices with the latest available firmware version:
β’ System FirmwareThere are no more BIOS updates available for my BIOS, so I guess I'll have to disable Secure Boot, right? Does that really make a difference in terms of security for Zorin OS?
please have a look at this HowTo for secure boot cert update.
best of luck Steve ..
Secure Boot keys are only checked during boot if Secure Boot is enabled and only then necessary for a successful boot process in the BIOS-UEFI. Under Zorin OS Secure Boot should be disabled as Secure Boot Enable may even prevent error-free operation.
If Secure Boot is disabled in the UEFI on your computers, you don't need to install new Secure Boot keys. Anyhow the new 2023 Secure Boot Keys should already implemented within the Zorin OS 18 ISO File. Even if someone has an older Version of Zorin OS it should be automatically distributed with the Zorin updates and then implemented on your PCs anyway. But others know better than me how this is handled under Linux.
If you still want to delve into the creepy UEFI and set the Secure Boot to disable, here's the direct way to get there from the terminal:
~$ sudo systemctl reboot --firmware
I would not recommand BIOS/UEFI firmware updates as often newer software has more restrictions than older. Then maybe Secure Boot can't disabled anymore.
Is that right? A question for the experts: Should Secure Boot be enabled or disabled in the future?
Looks like Secure Boot Keys are not included or distributed within Zorin OS (Even with long time IT experience, I am a Zorin OS beginner).
So, it is very important to have Secure Boot in UEFI disabled to avoid Zorin boot problems in the future:
- If your current Zorin OS Installation was builded with valid Secure Boot Keys during installation booting works even secure boot is enabled.
- But if anytime the Secure Keys are out dated and the new 2023 Secure Keys are not installed and not available in UEFI and you need to install a new Zorin (or any other OS) on your PC or doing a main repair or upgrade on Zorin OS with Secure Boot enabled, you might not boot your PC anymore until you disable Secure Boot.
- To avoid all these problems the best is to disable Secure Boot in UEFI.
Microsofts Secure Boot enabling makes only sense in big companies to avoid that any user can install or boot everything included malware, but is an obstical for privat use.
1 Like
-> means in your UEFI is Secure Boot enabled. Booting works with your OS was installed as there were valid Secure Boot Keys available during Zorin OS installation process.
These Secure Boot Keys will expire this year, and if then you do main changes with your OS Configuration your PC might not boot anymore until you set Secure Boot in UEFI to disable or you install the 2023 Secure Boot Keys before changing OS (as OS Install Upgrade Repair,...).
-> shows the keys as hex code
-> output means that there is no more UEFI Update available