If you dual-boot or run a Linux distribution with Secure Boot enabled, you may have heard about a major security deadline. The original Microsoft 2011 UEFI Third-Party Certificate Authority (CA) keys, which most Linux distributions rely on to sign their initial bootloaders (shim) on consumer PC hardware, expired at the end of June 2026
The expiration of a certificate doesn't invalidate already-installed, signed binaries on your system; firmware doesn't check expiration dates at boot time.
However, moving forward, future Linux bootloader updates and security patches will be signed exclusively using the new Windows UEFI CA 2023 key. If your motherboard's firmware database isn't updated to trust this new 2023 key, your Linux system may eventually experience package management blocks or fail to apply critical bootloader updates.
Before running updates, check if Secure Boot is active and see if your system already recognizes the 2023 certificate hierarchy. Open your terminal and run:
```bash
sudo mokutil --sb-state
```
If it returns SecureBoot disabled, this expiration does not affect your current boot environment, though updating your system firmware remains a best practice.
To check if the new 2023 certificates are already enrolled in your motherboard's signature database (db), run:
```bash
sudo mokutil --db | grep -i "2023"
```
If this returns a match for the Windows UEFI CA 2023, your hardware is already prepared. If it returns nothing, follow the steps below to apply the update.
The absolute cleanest way to roll out the new 2023 database keys on any modern Linux distribution is using fwupd (the Linux Vendor Firmware Service).
Updating Secure Boot variables requires fwupd version 2.0.0 or later. Check your current version:
```bash
fwupdmgr --version
```
For modern package managers (like Ubuntu 25.10/26.04+ or Fedora) the stock repository version is ready to go.
If your version is below 2.0.0, purge the system package and install the latest via Snap to ensure you have the required certificate-handling logic:
```bash
sudo apt purge fwupd
sudo snap install fwupd
```
Once you are running a compatible version, refresh your device metadata from the LVFS database:
```bash
sudo fwupdmgr refresh
```
Next, look for available updates specifically targeting your system's UEFI db or KEK (Key Exchange Key) databases:
```bash
sudo fwupdmgr get-updates
```
If updates are present, execute the deployment:
```bash
sudo fwupdmgr update
```
You will be prompted to confirm the update payload. Once accepted, a system reboot is mandatory, as the firmware variables are written and verified directly during the hardware initialization phase.
If fwupdmgr reports that no updates are available for your specific hardware architecture, it means your device manufacturer handles these database extensions via standard motherboard firmware updates.
Head to your manufacturer’s official support page, download the latest BIOS/UEFI firmware build for your motherboard model, and flash it using your vendor's built-in flash utility (such as EZ Flash, Q-Flash, or an HP firmware flash tool). Any firmware version released recently will naturally include the updated 2023 Microsoft root certificate authority as a default standard.
Comments