Secure Boot certificate changes in 2026: Guidance for RHEL environments
15 hours ago
- #RHEL
- #Secure Boot
- #UEFI
- Microsoft's 2011 Secure Boot signing certificate expires on June 27, 2026, but existing RHEL systems will continue to boot.
- Red Hat will release new shim versions signed with both 2011 and 2023 certificates for RHEL 8, 9, and 10 by June 2026.
- The expiration only affects signing new boot components, not booting with already trusted ones.
- Older systems without firmware updates may face issues when bootloader updates are needed after the expiration.
- Updating the UEFI db variable can change TPM PCR7 values, affecting TPM-based operations like LUKS unlocking.
- Recommended actions include assessing Secure Boot settings, testing UEFI updates via fwupd, and monitoring Red Hat advisories.
- Use mokutil to check Secure Boot status and enrolled certificates, and fwupdmgr for firmware updates.
- For VMs using OVMF, update the edk2-ovmf package on the hypervisor to include new certificates for new VMs.
- RHEL 9 and later VMs can reset NVRAM with --reset-nvram, while RHEL 8 requires manual NVRAM backup and removal.
- Do not force DB updates; follow vendor guidance, especially for platforms like HP and Fujitsu.