Secure Boot – Microsoft UEFI CA 2023 Certificate Not Included in EFI Disk

powersupport

Well-Known Member
Jan 18, 2020
318
6
58
30
Hi ,


We are currently preparing our Windows Server VMs for Microsoft's Secure Boot certificate updates. According to Microsoft’s announcement (ref: https://support.microsoft.com/en-us...-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e), the existing Microsoft UEFI CA 2011 certificate will expire in 2026, and a new certificate (Windows UEFI CA 2023) must be enrolled to ensure Secure Boot continues working beyond that point.


We are using Proxmox VE and creating Windows VMs with Secure Boot enabled and EFI disks with pre-enrolled keys (per the documentation at https://pve.proxmox.com/pve-docs/chapter-qm.html#qm_bios_and_uefi), using:


qm set <vmid> --efidisk0 local-lvm:vm-<vmid>-disk-1,efitype=4m,pre-enroll-keys=1


After testing a Windows Server 2022 VM, we found that the Windows UEFI CA 2023 certificate is not present in the Secure Boot db.


We confirmed this using PowerShell:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
→ returns False


We would like to ask:


  1. Will the Proxmox EFI disk be updated to include the Microsoft Windows UEFI CA 2023 certificate in future releases?
  2. If yes, is there an ETA or specific Proxmox VE version where this will be added?
  3. If no, what is the recommended manual method to enroll this certificate in the EFI environment of a Windows VM created via Proxmox?
    • Is there an officially supported method to inject this certificate into the db or dbx in the EFI environment?
    • Are there tools or EFI shell utilities that Proxmox recommends using for this purpose (e.g. KeyTool.efi or similar)?

We want to ensure that all future VMs — especially Windows-based Secure Boot VMs — can boot securely after the certificate expiration in 2026, and ideally automate this process during VM provisioning if possible.


Thanks