Microsoft’s Secure Boot Certificates Expire June 27 — What Every Linux User Must Know

Secure Boot Linux 2026 has a deadline most users don’t know about. On June 27, 2026, Microsoft’s original 2011 Secure Boot signing certificate expires — and the misinformation circulating about what that actually means is making things worse. Your machine will not suddenly stop booting on June 28. But if you do nothing and your distro or firmware later needs updating, you could face real problems down the line. Here is the straight truth about what is happening, who is affected, and what you need to do right now.

---

What is expiring and when — the exact timeline

Three Microsoft Secure Boot certificates are expiring in 2026:

Certificate	Role	Expiration date
Microsoft Corporation KEK CA 2011	Used to update the DB and DBX	June 24, 2026
Microsoft Corporation UEFI CA 2011	Signs third-party bootloaders including Linux Shim	June 27, 2026
Microsoft Windows Production PCA 2011	Signs the Windows bootloader	October 19, 2026

The one that matters most for Linux users is the Microsoft Corporation UEFI CA 2011, expiring June 27. This certificate is what Microsoft uses to sign the shim — the first-stage bootloader used by Linux distributions to boot the kernel with Secure Boot enabled.

---

The panic is wrong — but the complacency is also wrong

Let’s clear this up immediately because both extremes are circulating online.

The panic is wrong. Machines, both bare metal and virtual, will continue to boot long after June is over as long as the current public keys are not removed from the firmware database or revoked via the dbx database. Secure Boot firmware does not check certificate expiration dates. The firmware has no reliable way to verify the hardware clock at boot time, so expiration does not equal revocation.

The complacency is also wrong. The certificate expiration affects the ability to sign new boot components, not the ability to boot with already trusted ones. That means if your distro releases a new shim or bootloader update signed only with the 2023 key — which will happen — and your firmware does not have the 2023 certificate enrolled, that update will fail to boot. Legacy systems — old physical servers, old laptops and desktops, systems with no vendor firmware updates, appliances that never get BIOS/UEFI updates — that cannot receive an update to their Secure Boot db may face issues when a bootloader or shim update is required after the expiration.

The correct position: your system boots fine today, and it will boot fine on June 28. But you need to act now to ensure it continues to boot fine six months from now.

---

How Secure Boot works on Linux — a quick primer

Understanding what is actually at risk requires understanding how Secure Boot works on Linux.

In order to do a Secure Boot into the Linux kernel, the UEFI boot process requires the first-stage bootloader to be signed with a key in the firmware database that has not expired. Those keys are contained in certificates. The certificate expiration should largely only be a problem when installing a new distribution on a Secure Boot system — the shim that gets installed will have distribution-specific keys and can act as the root of trust for running other programs such as GRUB using those keys. LinuxBlog

The chain works like this:

UEFI firmware
    └── checks Microsoft UEFI CA 2011 (enrolled in firmware db)
        └── trusts Linux shim (signed by Microsoft with 2011 key)
            └── trusts GRUB (signed by distro with distro key)
                └── trusts Linux kernel

When the 2011 certificate expires for signing purposes, Microsoft transitions to the 2023 key. Starting in October 2025, Microsoft began signing shim with two different keys: the Microsoft Windows UEFI Driver Publisher 2011 and the Microsoft UEFI CA 2023 signer. After June, they will only sign with the 2023 key.

The problem: if your firmware only has the 2011 certificate enrolled and not the 2023 certificate, a shim signed exclusively with the 2023 key will not be trusted at boot time.

---

Which distros have already issued patched shims?

Red Hat / RHEL:
As of June 10, Red Hat has released a new version of shim, signed with multiple signing certificates, for all supported RHEL-8, RHEL-9 and RHEL-10 releases for the x86_64 architecture. Since the new shim is signed with Microsoft’s 2011 and 2023 Secure Boot signing certificates, it will boot on all machines that have either or both of those certificates enrolled.

AlmaLinux / Rocky Linux:
Both distros track RHEL closely and dual-signed shim updates are rolling out in June 2026. Check your package manager for the latest shim package.

Fedora:
Fedora Rawhide (f45) already contains a first stage boot loader that is signed by multiple keys for maximal compatibility. Stable Fedora releases are receiving updates — run sudo dnf update shim immediately.

Ubuntu / Debian:
Canonical and the Debian project are issuing updated shim packages. Run sudo apt update && sudo apt upgrade to get the latest shim if available for your release.

Arch Linux:
Rolling release — the updated shim package will appear in the main repository. Run sudo pacman -Syu and verify the shim-signed package is current.

---

Step 1 — Check if Secure Boot is enabled on your system

Only systems with Secure Boot enabled are affected. If you disabled Secure Boot (common when installing Linux on many machines), none of this applies to you.

bash

mokutil --sb-state

• SecureBoot enabled — you are affected, continue reading
• SecureBoot disabled — you are not affected by this specific issue
• EFI variables are not supported — you are likely booting in legacy BIOS mode, not affected

---

Step 2 — Check which Secure Boot certificates are enrolled in your firmware

bash

mokutil --db | grep "Microsoft Corporation"

Look for both:

• Microsoft Corporation UEFI CA 2011 — the expiring key
• Microsoft UEFI CA 2023 — the replacement key

If only the 2011 key appears and not the 2023 key, your firmware needs the new certificate enrolled before your distro pushes shim updates signed exclusively with the 2023 key.

---

Step 3 — Update your shim now, before June 27

This is the most important action. Update your bootloader packages immediately to get the dual-signed shim — which works with both 2011 and 2023 firmware enrollments:

Ubuntu / Debian / Linux Mint / Pop!_OS:

bash

sudo apt update && sudo apt upgrade
# Verify shim is updated
apt-cache policy shim-signed

Fedora:

bash

sudo dnf update shim
sudo dnf update grub2-efi-x64

RHEL / AlmaLinux / Rocky Linux:

bash

sudo dnf clean metadata && sudo dnf update shim

Arch Linux:

bash

sudo pacman -Syu shim-signed

openSUSE:

bash

sudo zypper refresh && sudo zypper update shim

After updating, reboot and verify the system boots cleanly before the expiry deadline.

---

Step 4 — Enroll the 2023 certificate in your firmware (if needed)

If mokutil --db showed only the 2011 certificate, your firmware needs the 2023 certificate enrolled. The safest method depends on your system:

Method A — Via Windows Update (for dual-boot systems):

For dual-boot devices running both Windows and Linux, the sequence matters. First, Windows must install the 2023 CAs via its update mechanism. Next, the UEFI firmware must anchor these new CAs into the trust chain. Only then can a RHEL or Fedora Shim signed with the 2023 CA boot successfully. How-To Geek

On Windows, run Windows Update fully, reboot, then verify the new certificates are enrolled.

Method B — Via fwupd (Linux only):

bash

sudo apt install fwupd   # Ubuntu/Debian
# or
sudo dnf install fwupd   # Fedora/RHEL

sudo fwupdmgr refresh
sudo fwupdmgr update

Updating via fwupd is preferable to other methods when available, as it handles the firmware update process safely without risking data loss.

Method C — Via OEM firmware update:

Check your laptop or motherboard manufacturer’s support page for a UEFI/BIOS update that includes the 2023 Secure Boot certificates. Dell, HP, Lenovo, and ASUS have all published relevant firmware updates — search for your model number and “Secure Boot 2026” or “UEFI CA 2023”.

---

Special cases

Virtual machines

If you enabled Secure Boot on a Shielded VM instance created before November 7, 2025, you must ensure the guest OS trusts the Microsoft UEFI CA 2023 certificate. For VMs on VMware, Hyper-V, KVM, or cloud providers, check your hypervisor’s documentation for Secure Boot certificate update procedures. Most cloud providers (AWS, Google Cloud, Azure) are handling this automatically for managed instances. Tech2Geek

Older hardware with no firmware updates available

If your PC’s UEFI firmware is not prepared to accept and retain the new 2023 certificates, Windows Update can attempt the handover and still leave the device stuck in what Microsoft describes as a degraded security state, where future boot-related security updates may not apply cleanly. Medium

For machines where the OEM no longer provides firmware updates, your options are:

1. Disable Secure Boot in UEFI settings — the least secure option but fully functional
2. Manually enroll the 2023 certificate via MOK (Machine Owner Key) — advanced, documented in your distro’s Secure Boot guide
3. Accept the risk — your existing shim continues to work indefinitely, you just cannot apply future shim updates until the certificate situation is resolved

Linux-only systems (no Windows)

Without Windows Update to push the 2023 certificate automatically, Linux-only systems depend entirely on fwupd or OEM firmware updates to enroll the new certificate. Run sudo fwupdmgr update now and check if a firmware update is available for your hardware.

---

What happens if you do nothing

To be completely clear about the real-world timeline:

• June 28, 2026: Nothing changes. Your system boots normally.
• When your distro releases a shim update signed only with 2023 key (weeks to months away): If you apply that update and your firmware only has the 2011 key enrolled, your system will fail to boot after the next restart.
• Long term: Systems that never update their shim will continue to boot fine but will become increasingly stale on boot security components.

The practical risk is highest for people who apply system updates without thinking and have old hardware with no OEM firmware update available. That combination — auto-updates plus old firmware — is where real boot failures will occur.

---

Quick action checklist

bash

# 1. Check if Secure Boot is enabled
mokutil --sb-state

# 2. Check which certificates are enrolled
mokutil --db | grep "Microsoft Corporation"

# 3. Update your shim NOW (Ubuntu/Debian)
sudo apt update && sudo apt upgrade

# 4. Update your shim NOW (Fedora/RHEL)
sudo dnf update shim

# 5. Check for firmware updates
sudo fwupdmgr refresh && sudo fwupdmgr update

# 6. Reboot and verify
sudo reboot

---

The bottom line – Secure Boot Linux 2026

Microsoft is performing a deliberate key rotation — issuing a new UEFI CA certificate and transitioning all future shim signing to that key. The June 2026 date marks when Microsoft will stop signing new shims with the old certificate. This is infrastructure maintenance, not a catastrophe.

For most Linux users on modern hardware running a maintained distribution, updating your packages today is sufficient. The dual-signed shim covers both old and new firmware enrollments, and fwupd or OEM updates handle the firmware side.

For users on older hardware where firmware updates are no longer available — update your shim now while it can still be signed with the 2011 key, and then carefully evaluate any future shim updates before applying them blind.

The deadline is June 27. You have 15 days. This is one of those rare cases where acting now, not later, is the right call.

---

Secure Boot Linux 2026

Best Linux Distros for IoT in 2026: Pi 5, RISC-V, and Edge AI Tested

Linux powers 80% of Internet of Things devices shipped in the US, from your  Home Assistant hub to industrial sensors at Ford plants. With Raspberry Pi 5, cheap RISC-V boards,…

Matter 1.4 vs Zigbee vs Z-Wave: Best Smart Home Protocol for US Homes in 2026

By KontraNet IoT Hub | Last Updated: June 3, 2026 | Reading time: 11 min Quick Pick for US Homeowners in 2026 Use this table if you just need the answer fast: Your SituationBest…

QuemOS Linux: A Reliable, Up-to-Date and Open-Source Operating System

QuemOS Linux is a modern and reliable operating system designed to offer users an up-to-date, secure, and stable computing experience. Based on Debian stable, QuemOS provides a safe and open-source environment for users to run their applications with ease. One of the significant features of QuemOS is its current and stable operating system. The team… Read More »