Adding X.509 certificate to UEFI secure boot database?

You should be able to load the certificate using MokManager.efi so that it's recognized by Shim, and therefore accepted by the kernel. I don't know if Fedora sets its GRUB up so that you can launch MokManager.efi yourself. If not, try booting (with Secure Boot disabled) a USB flash drive with an EFI shell or rEFInd. You should then be able to launch MokManager.efi and load the certificate file. (It will need to be stored on the same disk as the MokManager.efi utility -- probably /boot/efi from within Fedora.)

I'm pretty sure there's a way to add the certificate to the NVRAM from within Linux so that Shim will notice it and ask if it should be used the next time you reboot, but I don't know precisely what it is. Presumably it would involve writing the file to somewhere in the /sys/firmware/efi directory tree.

That said, I've never had to do this specific thing myself, since I don't use proprietary video drivers on any of my computers. It's conceivable there's some extra step you'll need to take.


You would want to use mokutil to enroll the key.

sudo mokutil --import <der file>

You can test if a key is enrolled with

mokutil --test-key <der file>