Bottom line: After Secure Boot certificates expire in 2026, systems will no longer be able to verify new 2023-signed bootloaders and will not receive security updates against pre-boot attacks.
Three central Microsoft certificates for UEFI Secure Boot will expire between June and October 2026. Systems will continue to start, but will lose the ability to verify new boot components and deploy future security updates.
The cryptographic trust anchors of UEFI Secure Boot originate largely from 2011 and are approaching the end of their fifteen-year lifespan. Three Microsoft certificates are affected: the Microsoft Corporation KEK CA 2011 (expiry 24 June 2026), the Microsoft UEFI CA 2011 (expiry 27 June 2026) and the Microsoft Windows Production PCA 2011 (expiry 19 October 2026).
An expired certificate does not cause hardware failure. Already trusted bootloaders will continue to function, and systems will start without interruption. The actual problem is more subtle: the security posture of the boot layer freezes as of 2026. Systems lose the ability to verify new boot components that will only be signed with 2023 certificates, and cannot deploy updated revocation lists against bootkits. After the KEK CA 2011 expires, Microsoft will no longer be able to provide signed updates to the signature and revocation database.
Practical impacts are seen primarily in new installations and updates: a fresh Windows or Linux installation from a current installation medium will fail verification if the firmware does not recognize the new 2023 certificates. This also explicitly affects Linux, as the Third-Party UEFI CA is responsible for the Linux Shim. After June 2026, security updates for boot components signed exclusively with 2023 certificates cannot be verified on affected systems.
New risks also emerge when updating Secure Boot certificates. Any change to the Secure Boot variables changes PCR7 measurements, which on systems with BitLocker enabled can trigger a recovery key prompt. Microsoft therefore recommends temporarily suspending BitLocker before the update.
Source: www.cert.at · Published 16 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.