How do I update Secure Boot certificates manually ?

Jacky_BEL · Wednesday at 11:59 AM

I am reading that a lot of PC's have certificates dating from 2011 that are to expire in 2026.

I can get to the Key management in the (ami) BIOS , but how the heck can I manually update or add 2023 certificates ?

Has anyone here already been succesful in doing so ?

(The PC is an off the shelf office PC , with text style ami BIOS , not with a graphical UI.)
AMI APTIO version ~~2.21.1278~~ 2.17.1254

chrcoluk · Wednesday at 1:10 PM

I will be surprised if its possible without bios modding, planned obsolescence and all that.

R-T-B · Wednesday at 1:28 PM

This is a tough one. You can't just use someone elses certs, because there is a very large chance your firmware is signed with the old ones somewhere and it'll refuse to boot.

The good news is to my knowledge, expiration is not enforced on most older boards. So most of them will just continue to work as if nothing happened. AMI Aptio is a reference bios, so almost certainly won't care as the original AMI builds don't.

chrcoluk said:
I will be surprised if its possible without bios modding, planned obsolescence and all that.

Nah, no modding needed, theres an interface to plug in your own certs. The issue is you'll never get any that also sign any uefi code in your particular bios, if applicable.

Jacky_BEL · Wednesday at 8:03 PM

The way I understand how it works is that a Platform Key is needed from the OEM , and two updated Secure Boot certification files from Microsoft that I already have downloaded (KEK cert , and a .db file)

I just can't figure out how to get the BIOS to update from these files. :confused:

mb194dc · Wednesday at 8:18 PM

You don't?

Don't need to do anything if you're getting updates.

Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog

Learn how to update to the new 2023 Secure Boot certificates ahead of June 2026 expiration.

techcommunity.microsoft.com

Jacky_BEL · Wednesday at 8:59 PM

Updates are coming for W10 / W11. Microsoft made Secure Boot available for W7 with an update not long before W7 went unsupported.
I have a i7-6700 machine i would like to keep running on W7 ( with updated Secure Boot if possible ) , so that is why i am eager to know.

Maybe as a work around , swap to a W10 install and let the MB get the update , and then swap back to the W7 disk ?

System Name	MSi Coffee Lake
Processor	i7-8700k
Motherboard	MSI Z370 GAMING PRO CARBON AC
Cooling	NZXT something AIO loop
Memory	16GB Kingston HyperX 2133 C14 Fury Black
Video Card(s)	TITAN Xp Jedi Order Edition
Storage	Samsung 960 Evo NVMe
Display(s)	Medion 23'
Case	Cooler Master Stryker
Audio Device(s)	onboard
Power Supply	BeQuiet 600W
Mouse	Logitech Trackman T-BB18
Keyboard	Generic hp
Software	Windows 10

System Name	Main PC
Processor	13700k
Motherboard	Asrock Z690 Steel Legend D4 - Bios 13.02
Cooling	Noctua NH-D15S
Memory	32 Gig 3200CL14
Video Card(s)	4080 RTX SUPER FE 16G
Storage	1TB 980 PRO, 2TB SN850X, 2TB DC P4600, 1TB 860 EVO, 4TB WD SA510, 2x 3TB WD Red, 1x 4TB WD Red
Display(s)	LG 27GL850
Case	Fractal Define R4
Audio Device(s)	Soundblaster AE-9
Power Supply	Antec HCG 750 Gold
Software	Windows 10 21H2 LTSC

System Name	Pioneer
Processor	Ryzen 9 9950X
Motherboard	MSI MAG X670E Tomahawk Wifi
Cooling	Noctua NH-D15 + A whole lotta Sunon, Phanteks and Corsair Maglev blower fans...
Memory	64GB (2x 32GB) G.Skill Flare X5 @ DDR5-6200(Running 1T no GDM)
Video Card(s)	PNY RTX 5080 OC
Storage	Intel 5800X Optane 800GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs, 1x 2TB Seagate Exos 3.5"
Display(s)	55" Hisense 55U8N 4K FALD Display
Case	Thermaltake Core X31
Audio Device(s)	TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply	FSP Hydro Ti Pro 850W 80Plus Titanium PSU
Mouse	Logitech G305 Lightspeed Wireless
Keyboard	WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software	Gentoo Linux x64 / Windows 11 Enterprise (yes it's legit)

System Name	MSi Coffee Lake
Processor	i7-8700k
Motherboard	MSI Z370 GAMING PRO CARBON AC
Cooling	NZXT something AIO loop
Memory	16GB Kingston HyperX 2133 C14 Fury Black
Video Card(s)	TITAN Xp Jedi Order Edition
Storage	Samsung 960 Evo NVMe
Display(s)	Medion 23'
Case	Cooler Master Stryker
Audio Device(s)	onboard
Power Supply	BeQuiet 600W
Mouse	Logitech Trackman T-BB18
Keyboard	Generic hp
Software	Windows 10

System Name	MSi Coffee Lake
Processor	i7-8700k
Motherboard	MSI Z370 GAMING PRO CARBON AC
Cooling	NZXT something AIO loop
Memory	16GB Kingston HyperX 2133 C14 Fury Black
Video Card(s)	TITAN Xp Jedi Order Edition
Storage	Samsung 960 Evo NVMe
Display(s)	Medion 23'
Case	Cooler Master Stryker
Audio Device(s)	onboard
Power Supply	BeQuiet 600W
Mouse	Logitech Trackman T-BB18
Keyboard	Generic hp
Software	Windows 10

How do I update Secure Boot certificates manually ?

Jacky_BEL

chrcoluk

R-T-B

Jacky_BEL

mb194dc

Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog

Jacky_BEL