By Bobby Borisov
Publication Date: 2026-06-14 09:05:00
Microsoft’s legacy Secure Boot signing certificate is nearing expiration, initiating an important transition that impacts the wider Linux ecosystem.
The Microsoft UEFI Certificate Authority from 2011, widely used in the Secure Boot chain on standard PCs, will expire this June, and Linux distributions must move their shim signing path to the newer 2023 CA.
This is significant for the Linux ecosystem, as many distros depend on a Microsoft-signed bootloader (called shim) to start Linux on Secure Boot-enabled machines – a firmware feature that ensures only trusted software runs during startup.
Long story short: when a computer powers on, the firmware verifies that the initial boot component is signed by a trusted key. If valid, the boot process continues; if not, the firmware blocks it.
For Windows, this process is seamless because PC firmware typically trusts Microsoft’s keys by default. Most Linux distros, however, are not directly trusted by firmware on…