Home > Privacy, Security > The original Secure Boot certificates are about to expire, but you probably won’t notice

The original Secure Boot certificates are about to expire, but you probably won’t notice

Privacy, Security 2 Comments

With the original release of Windows 8, Microsoft also enforced Secure Boot. It’s been 15 years since that release, and that means the original 2011 Secure Boot certificates are about to expire. If these certificates are not replaced with new ones, Secure Boot will cease to function – your machine will still boot and operate, but the benefits of Secure Boot are mostly gone, and as newer vulnerabilities are discovered, systems without updated Secure Boot certificates will be increasingly exposed.

Microsoft has already been rolling out new certificates through Windows updates, but only for users of supported versions of Windows, which means Windows 11. If you’re using Windows 10, without the Extended Security Updates, you won’t be getting the new certificates through Windows Update. Even if you use Windows 11, you may need a UEFI update from your laptop or motherboard OEM, assuming they still support your device.

For Linux users using Secure Boot, you’re probably covered by fwupd, which will update the certificates as part of your system’s update program, like KDE’s Discover. Of course, you can also use fwupd manually in the terminal, if you’d like. For everyone else not using Secure Boot, none of this will matter and you’re going to be just fine. I honestly doubt there will be much fallout from this updating process, but there’s always bound to be a few people who fall between the cracks.

All we can do is hope whomever is responsible for Secure Boot at Microsoft hasn’t started slopcoding yet.

About The Author

Thom Holwerda

Follow me on Mastodon @[email protected]

2 Comments

  1. 2026-02-11 4:56 pm
    mbq

    The benefits of Secure Boot only exist when you control the keys, and then Microslop certs are irrelevant.

  2. 2026-02-11 6:38 pm
    Alfman verbose=1

    The problem isn’t that secure boot will stop booting existing installs, but that it will stop booting new installs/updates.

    On the 26th June 2026 a root certificate used for signing boot media will expire. Microsoft will not sign updated boot media with the old key, and that at least one major OEM is not going to be shipping the expired key on new hardware. This means that existing install media may not boot on some new laptop, desktop and server devices, and that future updates to boot packages may not boot on old hardware. It is important to note that machines running Linux will not stop booting when the certificate expires.

    As long as the previous secure boot chain is untouched, then it will keep functioning, but updating to a bootloader that isn’t signed by the expired secure boot key would cause the boot sequences to break. Obviously that would be a problem.

    The Microsoft certificate which is used for signing “3rd party” boot media (e.g. shimx64.efi) will expire on the 26th June 2026. Microsoft has created a new certificate which can be used for signing now. Whilst we can “dual sign” the shim binary with the old and new certificate until the cut-over date, when the certificate has expired we can only sign shim with the new 3rd party certificate.

    Microsoft can technically sign whatever they want using the old key they control, even though it’s expired. However third parties signing under microsoft’s keys don’t have the same luxury.

    If the secure boot keys aren’t updated first (for any reason), then newer operating systems and/or OS updates could end up failing to boot on older computers. Of course, the most practical fix for a user who encounters this is to disable secure boot, as the article states.

Leave a Reply