New Secure Boot shim on Proxmox Host?

[Upstairs_Cycle384]

I noticed that my Secure Boot shim on my proxmox host is only signed by the 2011 CA. Has anyone managed to update the boot shim to the 2023 CA? All the discussions I've seen have been about key enrollment on the guests. I haven't seen any discussions about the Proxmox hypervisor host itself. With the certificate set to expire next month, we are trying to get everything updated to a good baseline

 

[gasherbrum]

first i dont think it matters because proxmox has their own efi cert, and you could turn off secure boot, but process for me was below if you want to try:

i have some old dell workstations for a lab and this was the process to get the 2023 cert in db, it should be similar for most manufacturers
step 1: update bios, most manufacturers need a ~2025 bios update for the keys, or whatever bios update they stated added 2023 uefi cert in changelog
step 2: make sure secure boot is turned on, all legacy bios options turned off, toggle on and off expert key management (something similar probably exists for other than dell), reboot
step 3: recheck if in db via shell
mokutil --db