2.2.3 Managing Keys and Certificates Used with Secure Boot
You can use the mokutil
command to manage the keys and
certificates used with Secure Boot.
The certificates are signed by DigiCert. By default, a certificate is valid for one year from the date of signing. Even though a certificate may expire, the validation is based on the date on which the grub and kernel were signed and if the certificate was valid at that time.
To renew the certificates, you update the kernel, grub, and ILOM on the secured servers with a new, signed version.
- Adding Keys for Secure Boot Using mokutil
You can import or add new keys for use with Secure Boot. - Removing Keys for Secure Boot Using mokutil
You can delete or remove keys for use with Secure Boot.
Parent topic: Restricting the Binaries Used to Boot the System