I'm looking for some clarity on how the Secure Boot process works regarding certificate expiration. In previous Microsoft AMAs, they mentioned that we can still update the Key Exchange Key (KEK) and Database (DB) variables with new certificates after the 2011 certificates expire in June. However, after today's AMA, it seems the update process remains unchanged even after the June 2026 expiration date. If the KEK needs to sign changes to the DB, how can it do so when the 2011 KEK certificate has expired? I'm hoping someone can help me understand this better!
4 Answers
To break it down: there's a root certificate and the objects beneath it. If you have the authority to change the root, you effectively control the process.
Until the expiration moment, updates can happen smoothly. Once the cert expires, the situation complicates a lot. Plus, many UEFI implementations could be outdated, which doesn't help things.
That's not what Microsoft claimed today, though. They said adding the new 2023 certificates would proceed as usual even after the 2011 ones expire.
From what I gather, expiration dates don't actually get checked at that level. If something is signed, it's generally considered valid. This is similar to how Windows kernel drivers can load regardless of whether their signing certificates expired a long time ago, as long as they were signed properly before.
Do you have any references for that? It seems pretty logical, otherwise the bootloader would stop functioning when the 2011 cert expires.
This might veer off-topic, but it's relevant if your devices haven't updated their certificates yet. Microsoft has announced more certificate updates will be rolling out to devices soon. They mentioned that these updates will ensure more devices are eligible for automatic new Secure Boot certificates, based on their update performance. You might want to check your devices after the updates roll out.
But remember, the root of trust relies on the vendor's private key. They can sign certificate additions to the KEK and DB, not Microsoft.