How to handle expiring Secure Boot certificates affecting Linux

Several Microsoft Secure Boot certificates issued in 2011 reach the end of their formal validity in 2026. That does not mean existing Linux installs will suddenly stop booting; current shims and bootloaders should continue to work. The real risk is for new or updated distributions on machines whose firmware never receives the updated keys.

Most major distributions relied on a small, Microsoft‑signed shim verified by the firmware's Microsoft UEFI CA so Linux could boot with Secure Boot enabled. Microsoft created a new set of Secure Boot certificates in 2023, and vendors are expected to deliver those keys through firmware updates so future boot components validate correctly.

Take two practical steps now: update your firmware (check your vendor or use Linux's fwupd system) and then test a current distro image. If supported, run as root: fwupdmgr refresh; fwupdmgr get-updates; fwupdmgr update, reboot as required.

secure boot, microsoft, linux, uefi, firmware, shim, bootloader, certificates, fwupd, fwupdmgr