Windows Secure Boot certificate expiry

In this article, we explain how to read out the secure boot certificate.

The previous certificates have been issued in 2011 which expire this year.

Which certificates are affected?

Definitions:

• KEK: Key Enrollment Key
• CA: Certificate Authority
• DB: Secure Boot Signature Database
• DBX: Secure Boot Revoked Signature Database

*During the renewal of the Microsoft Corporation UEFI CA 2011 certificate, two certificates separate the bootloader signature from the Option ROM signature.

This enables precise control over the system trust. Systems, that trust Option-ROMs, can, for example, add the Microsoft option ROM UEFI CA 2023 without granting a trusted status to third-party bootloaders.

What happens if my certificate expires?

Windows starts and functions as usual. Updates can still be downloaded and installed.

However, updates cannot be installed for the early boot process. This concerns the Windows Boot Manager, Secure Boot data base and Revocation lists or fixes for new discovered boot level vulnerabilities.

These effects reduce the protection of the devices against impending dangers, which rely on Secure Boot, such as BitLocker Hardening or third-party bootloaders.

How do I verify my certificates

The validity of the installed certificates can be checked using the Windows Security app.

Windows-Security> Equipment Safety > Safe Start

There are three possible scenarios.

Scenario 1: Everything is completely updated (green tick)

All certificate updates were applied.

Scenario 2: No update has been installed yet (yellow warning symbol)

Automatic updates are not available. The hardware manufacturer must be contacted.

Scenario 3: Action is required (Red X)

The device cannot receive required updates.

If a Windows Update is missing, this menu option may not display any information about the certificates.

In this case, the certificate can be read out manually with a workaround.

With the following powershell command, the certificates can be stored as .bin in any location.

$var = Get-SecureBootUEFI -Name db; [System.IO.File]::WriteAllBytes("C:\Users\Administrator\Documents\db.bin", $var.Bytes)

This path can be customized as required.

After this, the db.bin file must be divided on a Linux system (for example WSL) with the efitools.

sudo apt update && apt install efitools
sudo sig-list-to-certs db.bin cert

Now, 5 certificates have been created in the current directory: cert-0.der cert-1.der cert-2.der cert-3.der cert-4.der

The content of these certificates can be read out with Openssl.

openssl x509 -in cert-0.der -inform DER -text -noout

The file name "cert-0.der" must be adapted to the respective certificate.

The line Validity is important. If this line displays the following value, the certificate expires in June 2026:

Validity

            Not Before: Jun 27 21:22:45 2011 GMT

            Not After : Jun 27 21:32:45 2026 GMT

How do I update my certificates?

There are multiple ways to update the certificate. The simplest and best method is to update the BIOS, as the hardware manufacturer has already incorporated the new certificates.

References

• Windows Secure Boot certificate expiration and CA updates (support.microsoft.com)
• Windows Secure Boot Key Creation and Management Guidance (learn.microsoft.com)
• IT admin guide: Secure Boot certificate update status in the Windows Security app (support.microsoft.com)

Template:Bstockinger

Translator: Alina Ranzinger Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.