Hey Rebecca!

We actually have the following repo on 
[github/secureboot_objects](https://github.com/microsoft/secureboot_objects) 
where you can get Secure Boot default releases and ask questions directly to 
the team that manages secure boot at Microsoft.

To answer your question,

The 2011 certificates are expiring in 2026 so we're beginning a transition away 
from them.

The expiring certificates are:

```
DB: Microsoft Windows Production PCA 2011
DB: Microsoft Corporation UEFI CA 2011 (Third Party)
KEK: Microsoft Corporation KEK CA 2011 
```
The new certificates are:

```
DB: Windows UEFI CA 2023
DB: Microsoft UEFI CA 2023 (Third Party)
DB: Microsoft Option ROM UEFI CA 2023 (Only Option Roms (New behavior meant to 
improve configurability))
KEK: Microsoft Corporation KEK 2K CA 2023
```

Right now the guidance is to include both sets of certificates to provide the 
most compatibility during the transition and then at a point further in the 
future we'll begin remove the 2011 certificates from the default.




-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120736): https://edk2.groups.io/g/devel/message/120736
Mute This Topic: https://groups.io/mt/109402104/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-


Reply via email to