Linux Faces 2026 Secure Boot Update as Microsoft Certificates Expire

3 articles · Updated · ZDNet · Jun 18

2026 certificate expirations will not suddenly brick existing Linux installs, but they can stop newer distros or updated boot components from loading on PCs missing newer Secure Boot keys.
2011-era Microsoft Secure Boot certificates used by Linux shim bootloaders expire in two 2026 waves, and Microsoft has already issued replacement certificates to OEMs in 2023.
Firmware updates are the main fix: users should install recent BIOS/UEFI updates—often via fwupd—to add the new keys before trying future Linux releases.
Mainstream distributions including Fedora, RHEL, Ubuntu, SUSE, openSUSE and Debian have largely prepared their shim and signing chains, while some distros make Secure Boot support harder.
The broader takeaway is to keep Secure Boot enabled where possible and test current live images now, because the risk is future compatibility, not an immediate boot failure.