I've been following the discussions during the recent Microsoft Secure Boot AMAs, and I remember them mentioning that we can still update the KEK and DB variables with new certificates even after the 2011 certificates expire in June. Today, they confirmed that the process remains unchanged after the June 2026 expiration. I'm confused, though. If the KEK needs to sign any changes to the DB, how can that happen if the KEK certificate is expired (not revoked, but expired)? Could someone help clarify this for me?
4 Answers
The key point to remember is that updates can happen until the last moment before expiration, but once that tiny moment passes, things get trickier. Plus, many UEFI implementations are unreliable and haven’t been updated since they were shipped, which adds to the confusion.
Think of it like this: there's a root certificate that holds authority, and as long as you have permission to overwrite it, you're considered the source of authority. However, the root of trust is managed by the vendor via the PK, which means they can sign any new certificate additions to the KEK and DB, but Microsoft lacks the authority to do so.
But if the vendors own the PK, how does it help if their certs are expired? Microsoft is saying the process won't change, which feels contradictory.
From what I understand, expiration dates aren't really enforced at that level. If something is signed, it's generally accepted as valid. This is similar to how Windows kernel drivers work—you can have a driver signed with a certificate that expired years ago, and it will still load without a hitch.
Do you have any sources or documentation for this? It sounds reasonable to me; otherwise, the bootloader would likely stop working once the 2011 cert expired.
Just a heads-up, this might not directly tackle your question, but it’s worth mentioning: Microsoft has indicated that new certificate updates will be rolling out soon. They mentioned that Windows quality updates will include better targeting data to ensure more devices can automatically receive the new Secure Boot certificates. So if you have devices that haven't updated their certs yet, it might be a good idea to check after the rollout.
Actually, MS specifically stated today that the method for adding the 2023 certificates will remain intact even after the 2011 certs expire, so it doesn’t seem like a big risk.