Windows Secure Boot Certificate Expired — Billions of PCs Affected Including Linux Distros

Windows Secure Boot Certificate Expired — Billions of PCs Affected Including Linux Distros

https://cybersecuritynews.com/windows-secure-boot-certificate-expired/

Publish Date: 2026-06-25 12:52:00

Source Domain: cybersecuritynews.com

The clock has run out. As of June 24, 2026, the first of Microsoft’s original Secure Boot certificates, the Microsoft Corporation KEK CA 2011, has officially expired, with the Microsoft UEFI CA 2011 following on June 27, 2026.

A third, the Microsoft Windows Production PCA 2011, is set to expire on October 19, 2026. Together, these certificates have underpinned firmware-level boot trust on every UEFI-capable PC deployed since the Windows 8 era, more than a billion devices worldwide, including systems running Linux distributions.

This is not a routine patch Tuesday. It is a permanent, structural change to the cryptographic trust chain that runs every time a device powers on.

Identifying potential risks is the first step. Here is what IT teams can do to ensure readiness before the deadline. To grasp why this matters, you need to understand Secure Boot’s layered key hierarchy stored in UEFI firmware:

• The Platform Key (PK) sits at the top, authorizing the Key Enrollment Key (KEK).
• The KEK signs updates to two critical databases: the Allowed Signature Database (DB), which lists trusted boot signatures, and the Forbidden Signature Database (DBX), which blocks known-malicious ones.
• At boot time, firmware checks the bootloader’s cryptographic signature against the DB. If it matches and is not revoked in DBX, the system proceeds.

Four certificates that anchor this entire hierarchy are now at or approaching the end of life:

The…

Source