Fresh OpenSUSE TW install. Problem loading X.509 -22. Can I ignore it?

Hi all,
firstly I would like to apologize because I completely don’t understand TPM, etc so some of the things here can sound stupid.

I reinstalled openSUSE TW. The point is that now every time when OS is booting I have that message:

 Integrity: Problem loading X.509 certificate -22
 Integrity: Problem loading X.509 certificate -22

System is fully working (I found some similar topics but there was a problem with booting, etc)

I can “resolve” that problem by removing some of the signing keys from the BIOS. When I do that, then before the system starts booting I have MOK menu…after that I don’t see that message anymore.

Here is a log where you can see that there is a problem only with 2 keys:

 integrity: Loading X.509 certificate: UEFI:db
 kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
 kernel: integrity: Loading X.509 certificate: UEFI:db
 kernel: integrity: Loaded X.509 cert 'Microsoft Corporation: Windows UEFI CA 2023: aefc5fbbbe055d8f8daa585473499417ab5a5272'
 kernel: integrity: Loading X.509 certificate: UEFI:db
 kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
⟶kernel: integrity: Loading X.509 certificate: UEFI:db
⟶kernel: integrity: Problem loading X.509 certificate -22
⟶kernel: integrity: Error adding keys to platform keyring UEFI:db
⟶kernel: integrity: Loading X.509 certificate: UEFI:db
⟶kernel: integrity: Problem loading X.509 certificate -22
⟶kernel: integrity: Error adding keys to platform keyring UEFI:db
 kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
 kernel: integrity: Loaded X.509 cert 'openSUSE Secure Boot CA: 6842600de22c4c477e95be23dfea9513e5971762'
 kernel: Loading compiled-in module X.509 certificates
 kernel: Loaded X.509 cert 'openSUSE Secure Boot Signkey: fd9f2c12e599d67cc7f9067541adf426b712469e'

IDK if i can ignore that message or it should to be sorted. At the day when I reinstalled OS I’ve also updated the BIOS and maybe latest version of BIOS have some issue?

I would be grateful for any help, sorry for my language, I hope that everything is understandable.

Linux kernel does not like something in these certificates. It is impossible to say what exactly. Output of

mokutil --list-enrolled

would be interesting.

Hi, thanks for answer.
Here is the output:

Owner: 605dab50-e046-4300-abb6-3dd810dd8b23
SHA1 Fingerprint: 46:59:83:8c:82:03:fe:15:52:ad:19:e1:86:09:db:21:7e:3a:d2:4f
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org
        Validity
            Not Before: Aug 26 16:12:07 2013 GMT
            Not After : Jul 22 16:12:07 2035 GMT
        Subject: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:de:df:61:92:7a:a4:fe:83:d1:7d:3b:68:0e:b1:
                    a7:f0:4e:92:93:fc:47:3e:70:2d:4e:88:dc:9a:9e:
                    fa:33:b4:a6:db:0e:23:c1:0d:a8:c1:d5:65:04:84:
                    04:ff:3a:48:18:4f:39:32:e4:ca:4e:f9:04:9e:9f:
                    0f:cd:20:5d:61:ab:a7:00:d8:a5:ff:2b:7f:be:e8:
                    47:c3:2f:5b:02:c8:bb:de:8e:1a:e9:46:d3:86:ef:
                    ff:88:99:90:eb:10:89:b8:8b:3f:3e:a8:07:c6:55:
                    7a:6e:d3:5f:fc:83:3c:3d:16:ed:26:c5:13:73:92:
                    b1:70:1e:22:95:c8:00:6c:25:76:46:f1:a2:d9:d0:
                    b0:98:68:0f:a7:2d:b1:0d:67:89:ca:94:4a:ea:12:
                    c5:91:55:76:7f:6c:7a:2e:f9:18:89:9f:f8:f4:24:
                    43:d5:35:6a:cb:00:0e:2e:ed:4b:e2:5d:09:d8:1b:
                    97:70:99:9e:5a:6f:a6:81:a8:9d:a9:58:76:7d:69:
                    71:82:d3:ba:3a:96:43:9b:f0:da:15:c6:4e:e9:c8:
                    15:b9:e9:cb:c7:e4:71:ce:ea:10:1b:6b:c4:2a:70:
                    01:a9:52:b4:17:de:00:52:cf:7d:e4:fd:0f:4d:03:
                    18:b2:90:28:d4:6f:c4:ae:56:bc:36:60:49:46:8b:
                    6b:0b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                68:42:60:0D:E2:2C:4C:47:7E:95:BE:23:DF:EA:95:13:E5:97:17:62
            X509v3 Authority Key Identifier: 
                keyid:68:42:60:0D:E2:2C:4C:47:7E:95:BE:23:DF:EA:95:13:E5:97:17:62
                DirName:/CN=openSUSE Secure Boot CA/C=DE/L=Nuremberg/O=openSUSE Project/emailAddress=build@opensuse.org
                serial:01
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        8a:a3:89:c2:8e:d9:f9:82:0b:f3:33:ce:e9:19:17:17:a3:65:
        80:cd:33:ae:06:51:56:29:b6:38:87:7b:f4:9d:fc:28:8e:aa:
        e0:53:12:0e:3a:60:c7:06:d8:3a:61:76:3b:77:08:f4:94:a4:
        8c:7c:47:3a:99:d8:84:9b:17:cc:20:62:2e:e2:76:e4:c6:36:
        0d:26:e9:2e:53:35:0a:fb:3a:35:93:45:c3:93:82:c1:0b:f3:
        08:e9:57:1f:59:37:a9:d0:6c:69:fb:68:ea:7f:3b:af:d3:f7:
        59:27:8e:d4:c7:96:73:f4:0c:0a:f7:3e:e4:af:6c:8c:c7:7a:
        6f:09:79:f4:41:1f:e3:6f:11:fb:3e:6c:b1:a0:7b:e4:92:b7:
        ca:f9:32:f5:de:c3:b0:73:7d:e3:b3:82:5d:cd:ec:61:dc:fe:
        0c:3e:c6:b5:e7:6c:2d:5d:92:73:ff:ed:aa:6a:a9:9b:66:9e:
        5e:3a:6d:70:b0:31:c0:ce:df:2f:21:10:68:0c:87:f3:77:a0:
        33:31:0a:0f:15:f6:ee:32:88:c5:9a:53:71:cd:0d:1a:a1:28:
        89:d0:bf:f6:56:ac:4b:3b:36:06:2b:01:c5:eb:e5:dc:72:83:
        3d:94:ac:28:83:13:fb:c1:5d:27:9c:13:f6:32:5f:f6:1f:4a:
        b7:3e:53:8a

If I delete 2 GIGABYTE certificate from BIOS(last 2 from the photo), then I don’t have any message when OS is booting. TBH that resolving my problem but It is nice to know why that issue is existing. (I’ve restore keys before I gave you the output mokutil --list-enrolled). From the other side because I don’t know how TPM is working I’m not sure how safe it is to remove any of keys from the BIOS.

With and without that 2 keys certificate the output is the same.

Sorry, it should have been

moklist --list-enrolled --db

OK, you identified the incorrect certificates already.

Because these certificates do not comply with Linux kernel requirements. To say anything more, those certificates are needed. Certificates can be extracted in binary form using

mokutil --export --db

Without those certificates the worst thing that can happen - boot time binaries from your manufacturer fail to load if Secure Boot is enabled. I have no idea whether they even exist. I can think about BIOS update for once, or some recovery or diagnostic programs.

You may consider reporting it to the vendor of your motherboard.

1 Like

Thanks for more information…Now i know (I hope so) what I need to find/read.
I can be wrong but I think that it should be mokutil --list-enrolled --db (not moklist --list-enrolled --db).

I start thinking why was OK when I was using Nvidia GPU with closed drivers but with AMD card I have that message (or maybe I ignored it :F). I need to find a time and swap GPU to the old one to check if I get that message.
Anyway, thx for help.

[key 1]
Owner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
SHA1 Fingerprint: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            61:08:d3:c4:00:00:00:00:00:04
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
        Validity
            Not Before: Jun 27 21:22:45 2011 GMT
            Not After : Jun 27 21:32:45 2026 GMT
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a5:08:6c:4c:c7:45:09:6a:4b:0c:a4:c0:87:7f:
                    06:75:0c:43:01:54:64:e0:16:7f:07:ed:92:7d:0b:
                    b2:73:bf:0c:0a:c6:4a:45:61:a0:c5:16:2d:96:d3:
                    f5:2b:a0:fb:4d:49:9b:41:80:90:3c:b9:54:fd:e6:
                    bc:d1:9d:c4:a4:18:8a:7f:41:8a:5c:59:83:68:32:
                    bb:8c:47:c9:ee:71:bc:21:4f:9a:8a:7c:ff:44:3f:
                    8d:8f:32:b2:26:48:ae:75:b5:ee:c9:4c:1e:4a:19:
                    7e:e4:82:9a:1d:78:77:4d:0c:b0:bd:f6:0f:d3:16:
                    d3:bc:fa:2b:a5:51:38:5d:f5:fb:ba:db:78:02:db:
                    ff:ec:0a:1b:96:d5:83:b8:19:13:e9:b6:c0:7b:40:
                    7b:e1:1f:28:27:c9:fa:ef:56:5e:1c:e6:7e:94:7e:
                    c0:f0:44:b2:79:39:e5:da:b2:62:8b:4d:bf:38:70:
                    e2:68:24:14:c9:33:a4:08:37:d5:58:69:5e:d3:7c:
                    ed:c1:04:53:08:e7:4e:b0:2a:87:63:08:61:6f:63:
                    15:59:ea:b2:2b:79:d7:0c:61:67:8a:5b:fd:5e:ad:
                    87:7f:ba:86:67:4f:71:58:12:22:04:22:22:ce:8b:
                    ef:54:71:00:ce:50:35:58:76:95:08:ee:6a:b1:a2:
                    01:d5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.21.1: 
                .....
            1.3.6.1.4.1.311.21.2: 
                ....k..wSJ.%7.N.&{. p.
            X509v3 Subject Key Identifier: 
                13:AD:BF:43:09:BD:82:70:9C:8C:D5:4F:31:6E:D5:22:98:8A:1B:D4
            1.3.6.1.4.1.311.20.2: 
                .
.S.u.b.C.A
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Authority Key Identifier: 
                45:66:52:43:E1:7E:58:11:BF:D6:4E:9E:23:55:08:3B:3A:22:6A:A8
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl.microsoft.com/pki/crl/products/MicCorThiParMarRoo_2010-10-05.crl
            Authority Information Access: 
                CA Issuers - URI:http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        35:08:42:ff:30:cc:ce:f7:76:0c:ad:10:68:58:35:29:46:32:
        76:27:7c:ef:12:41:27:42:1b:4a:aa:6d:81:38:48:59:13:55:
        f3:e9:58:34:a6:16:0b:82:aa:5d:ad:82:da:80:83:41:06:8f:
        b4:1d:f2:03:b9:f3:1a:5d:1b:f1:50:90:f9:b3:55:84:42:28:
        1c:20:bd:b2:ae:51:14:c5:c0:ac:97:95:21:1c:90:db:0f:fc:
        77:9e:95:73:91:88:ca:bd:bd:52:b9:05:50:0d:df:57:9e:a0:
        61:ed:0d:e5:6d:25:d9:40:0f:17:40:c8:ce:a3:4a:c2:4d:af:
        9a:12:1d:08:54:8f:bd:c7:bc:b9:2b:3d:49:2b:1f:32:fc:6a:
        21:69:4f:9b:c8:7e:42:34:fc:36:06:17:8b:8f:20:40:c0:b3:
        9a:25:75:27:cd:c9:03:a3:f6:5d:d1:e7:36:54:7a:b9:50:b5:
        d3:12:d1:07:bf:bb:74:df:dc:1e:8f:80:d5:ed:18:f4:2f:14:
        16:6b:2f:de:66:8c:b0:23:e5:c7:84:d8:ed:ea:c1:33:82:ad:
        56:4b:18:2d:f1:68:95:07:cd:cf:f0:72:f0:ae:bb:dd:86:85:
        98:2c:21:4c:33:2b:f0:0f:4a:f0:68:87:b5:92:55:32:75:a1:
        6a:82:6a:3c:a3:25:11:a4:ed:ad:d7:04:ae:cb:d8:40:59:a0:
        84:d1:95:4c:62:91:22:1a:74:1d:8c:3d:47:0e:44:a6:e4:b0:
        9b:34:35:b1:fa:b6:53:a8:2c:81:ec:a4:05:71:c8:9d:b8:ba:
        e8:1b:44:66:e4:47:54:0e:8e:56:7f:b3:9f:16:98:b2:86:d0:
        68:3e:90:23:b5:2f:5e:8f:50:85:8d:c6:8d:82:5f:41:a1:f4:
        2e:0d:e0:99:d2:6c:75:e4:b6:69:b5:21:86:fa:07:d1:f6:e2:
        4d:d1:da:ad:2c:77:53:1e:25:32:37:c7:6c:52:72:95:86:b0:
        f1:35:61:6a:19:f5:b2:3b:81:50:56:a6:32:2d:fe:a2:89:f9:
        42:86:27:18:55:a1:82:ca:5a:9b:f8:30:98:54:14:a6:47:96:
        25:2f:c8:26:e4:41:94:1a:5c:02:3f:e5:96:e3:85:5b:3c:3e:
        3f:bb:47:16:72:55:e2:25:22:b1:d9:7b:e7:03:06:2a:a3:f7:
        1e:90:46:c3:00:0d:d6:19:89:e3:0e:35:27:62:03:71:15:a6:
        ef:d0:27:a0:a0:59:37:60:f8:38:94:b8:e0:78:70:f8:ba:4c:
        86:87:94:f6:e0:ae:02:45:ee:65:c2:b6:a3:7e:69:16:75:07:
        92:9b:f5:a6:bc:59:83:58

[key 2]
Owner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
SHA1 Fingerprint: 45:a0:fa:32:60:47:73:c8:24:33:c3:b7:d5:9e:74:66:b3:ac:0c:67
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            33:00:00:00:1a:88:8b:98:00:56:22:84:c1:00:00:00:00:00:1a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
        Validity
            Not Before: Jun 13 18:58:29 2023 GMT
            Not After : Jun 13 19:08:29 2035 GMT
        Subject: C=US, O=Microsoft Corporation, CN=Windows UEFI CA 2023
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bc:b2:35:d1:54:79:b4:8f:cc:81:2a:6e:b3:12:
                    d6:93:97:30:7c:38:5c:bf:79:92:19:0a:0f:2d:0a:
                    fe:bf:e0:a8:d8:32:3f:d2:ab:6f:6f:81:c1:4d:17:
                    69:45:cf:85:80:27:a3:7c:b3:31:cc:a5:a7:4d:f9:
                    43:d0:5a:2f:d7:18:1b:d2:58:96:05:39:a3:95:b7:
                    bc:dd:79:c1:a0:cf:8f:e2:53:1e:2b:26:62:a8:1c:
                    ae:36:1e:4f:a1:df:b9:13:ba:0c:25:bb:24:65:67:
                    01:aa:1d:41:10:b7:36:c1:6b:2e:b5:6c:10:d3:4e:
                    96:d0:9f:2a:a1:f1:ed:a1:15:0b:82:95:c5:ff:63:
                    8a:13:b5:92:34:1e:31:5e:61:11:ae:5d:cc:f1:10:
                    e6:4c:79:c9:72:b2:34:8a:82:56:2d:ab:0f:7c:c0:
                    4f:93:8e:59:75:41:86:ac:09:10:09:f2:51:65:50:
                    b5:f5:21:b3:26:39:8d:aa:c4:91:b3:dc:ac:64:23:
                    06:cd:35:5f:0d:42:49:9c:4f:0d:ce:80:83:82:59:
                    fe:df:4b:44:e1:40:c8:3d:63:b6:cf:b4:42:0d:39:
                    5c:d2:42:10:0c:08:c2:74:eb:1c:dc:6e:bc:0a:ac:
                    98:bb:cc:fa:1e:3c:a7:83:16:c5:db:02:da:d9:96:
                    df:6b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            1.3.6.1.4.1.311.21.1: 
                ...
            X509v3 Subject Key Identifier: 
                AE:FC:5F:BB:BE:05:5D:8F:8D:AA:58:54:73:49:94:17:AB:5A:52:72
            1.3.6.1.4.1.311.20.2: 
                .
.S.u.b.C.A
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Authority Key Identifier: 
                D5:F6:56:CB:8F:E8:A2:5C:62:68:D1:3D:94:90:5B:D7:CE:9A:18:C4
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
            Authority Information Access: 
                CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        9f:c9:b6:ff:6e:e1:9c:3b:55:f6:fe:8b:39:dd:61:04:6f:d0:
        ad:63:cd:17:76:4a:a8:43:89:8d:f8:c6:f2:8c:5e:90:e1:e4:
        68:a5:15:ec:b8:d3:60:0c:40:57:1f:fb:5e:35:72:61:de:97:
        31:6c:79:a0:f5:16:ae:4b:1c:ed:01:0c:ef:f7:57:0f:42:30:
        18:69:f8:a1:a3:2e:97:92:b8:be:1b:fe:2b:86:5e:42:42:11:
        8f:8e:70:4d:90:a7:fd:01:63:f2:64:bf:9b:e2:7b:08:81:cf:
        49:f2:37:17:df:f1:f9:72:d3:c3:1d:c3:90:45:4d:e6:80:06:
        bd:fd:e5:6a:69:ce:b3:7e:4e:31:5b:84:73:a8:e8:72:3f:27:
        35:c9:7c:20:ce:00:9b:4f:e0:4c:b4:36:69:cb:f7:34:11:11:
        74:12:7a:a8:8c:2e:81:6c:a6:50:ad:19:fa:a8:46:45:6f:b1:
        67:73:c3:6b:e3:40:e8:2a:69:8f:24:10:e1:29:6e:8d:16:88:
        ee:8e:7f:66:93:02:6f:5b:9e:04:8c:cc:81:1c:ad:97:54:f1:
        18:2e:7e:52:90:bc:51:de:2a:0e:ae:66:ea:bc:64:6e:a0:91:
        64:e4:2f:12:a8:bc:e7:6b:ba:c7:1b:9b:79:1a:64:66:f1:43:
        b4:d1:c3:46:21:38:81:79:4c:fa:f0:31:0d:d3:79:ff:7a:12:
        a5:1d:d9:dd:ac:a2:0f:71:82:f7:93:ff:5c:a1:61:ae:65:f2:
        14:81:ed:79:5a:9a:87:ea:60:7b:cb:b3:4f:75:34:ca:ba:a1:
        ef:a2:f6:a2:80:45:a1:8b:27:81:cd:d5:77:38:3e:ca:4e:dd:
        28:ea:58:ba:c5:a0:29:de:86:8c:88:fc:95:27:51:dd:ab:d3:
        d0:5b:0d:77:c7:6c:8f:55:d7:d4:a2:0e:5b:e4:34:46:14:16:
        1d:e3:1c:d6:6d:99:ad:4c:ec:71:73:2f:ab:ce:b2:b4:29:de:
        55:30:53:39:3a:32:8b:f0:ea:9c:88:12:3b:05:68:19:bf:cf:
        87:52:10:fb:d6:13:60:f3:41:64:f4:08:57:81:cb:9d:11:a5:
        8e:f4:e5:27:f5:a3:3a:ec:e4:3d:4a:b7:ce:f9:88:0d:9f:bd:
        ca:6d:d2:4a:bc:58:76:8e:32:04:94:6e:dd:f4:cf:6d:47:6d:
        c2:d7:6a:dc:87:71:ea:a4:bf:ef:67:97:9c:b8:c7:80:36:2a:
        2a:59:c9:c0:0c:a7:44:a0:73:b5:8c:cf:38:5a:ae:f8:bb:86:
        95:f0:44:ad:66:7a:33:ed:71:e4:45:87:83:e5:a7:ce:a2:40:
        d0:72:d2:48:00:fa:f9:1a

[key 3]
Owner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
SHA1 Fingerprint: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            61:07:76:56:00:00:00:00:00:08
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
        Validity
            Not Before: Oct 19 18:41:42 2011 GMT
            Not After : Oct 19 18:51:42 2026 GMT
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:dd:0c:bb:a2:e4:2e:09:e3:e7:c5:f7:96:69:bc:
                    00:21:bd:69:33:33:ef:ad:04:cb:54:80:ee:06:83:
                    bb:c5:20:84:d9:f7:d2:8b:f3:38:b0:ab:a4:ad:2d:
                    7c:62:79:05:ff:e3:4a:3f:04:35:20:70:e3:c4:e7:
                    6b:e0:9c:c0:36:75:e9:8a:31:dd:8d:70:e5:dc:37:
                    b5:74:46:96:28:5b:87:60:23:2c:bf:dc:47:a5:67:
                    f7:51:27:9e:72:eb:07:a6:c9:b9:1e:3b:53:35:7c:
                    e5:d3:ec:27:b9:87:1c:fe:b9:c9:23:09:6f:a8:46:
                    91:c1:6e:96:3c:41:d3:cb:a3:3f:5d:02:6a:4d:ec:
                    69:1f:25:28:5c:36:ff:fd:43:15:0a:94:e0:19:b4:
                    cf:df:c2:12:e2:c2:5b:27:ee:27:78:30:8b:5b:2a:
                    09:6b:22:89:53:60:16:2c:c0:68:1d:53:ba:ec:49:
                    f3:9d:61:8c:85:68:09:73:44:5d:7d:a2:54:2b:dd:
                    79:f7:15:cf:35:5d:6c:1c:2b:5c:ce:bc:9c:23:8b:
                    6f:6e:b5:26:d9:36:13:c3:4f:d6:27:ae:b9:32:3b:
                    41:92:2c:e1:c7:cd:77:e8:aa:54:4e:f7:5c:0b:04:
                    87:65:b4:43:18:a8:b2:e0:6d:19:77:ec:5a:24:fa:
                    48:03
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.21.1: 
                ...
            X509v3 Subject Key Identifier: 
                A9:29:02:39:8E:16:C4:97:78:CD:90:F9:9E:4F:9A:E1:7C:55:AF:53
            1.3.6.1.4.1.311.20.2: 
                .
.S.u.b.C.A
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Authority Key Identifier: 
                D5:F6:56:CB:8F:E8:A2:5C:62:68:D1:3D:94:90:5B:D7:CE:9A:18:C4
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
            Authority Information Access: 
                CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        14:fc:7c:71:51:a5:79:c2:6e:b2:ef:39:3e:bc:3c:52:0f:6e:
        2b:3f:10:13:73:fe:a8:68:d0:48:a6:34:4d:8a:96:05:26:ee:
        31:46:90:61:79:d6:ff:38:2e:45:6b:f4:c0:e5:28:b8:da:1d:
        8f:8a:db:09:d7:1a:c7:4c:0a:36:66:6a:8c:ec:1b:d7:04:90:
        a8:18:17:a4:9b:b9:e2:40:32:36:76:c4:c1:5a:c6:bf:e4:04:
        c0:ea:16:d3:ac:c3:68:ef:62:ac:dd:54:6c:50:30:58:a6:eb:
        7c:fe:94:a7:4e:8e:f4:ec:7c:86:73:57:c2:52:21:73:34:5a:
        f3:a3:8a:56:c8:04:da:07:09:ed:f8:8b:e3:ce:f4:7e:8e:ae:
        f0:f6:0b:8a:08:fb:3f:c9:1d:72:7f:53:b8:eb:be:63:e0:e3:
        3d:31:65:b0:81:e5:f2:ac:cd:16:a4:9f:3d:a8:b1:9b:c2:42:
        d0:90:84:5f:54:1d:ff:89:ea:ba:1d:47:90:6f:b0:73:4e:41:
        9f:40:9f:5f:e5:a1:2a:b2:11:91:73:8a:21:28:f0:ce:de:73:
        39:5f:3e:ab:5c:60:ec:df:03:10:a8:d3:09:e9:f4:f6:96:85:
        b6:7f:51:88:66:47:19:8d:a2:b0:12:3d:81:2a:68:05:77:bb:
        91:4c:62:7b:b6:c1:07:c7:ba:7a:87:34:03:0e:4b:62:7a:99:
        e9:ca:fc:ce:4a:37:c9:2d:a4:57:7c:1c:fe:3d:dc:b8:0f:5a:
        fa:d6:c4:b3:02:85:02:3a:ea:b3:d9:6e:e4:69:21:37:de:81:
        d1:f6:75:19:05:67:d3:93:57:5e:29:1b:39:c8:ee:2d:e1:cd:
        e4:45:73:5b:d0:d2:ce:7a:ab:16:19:82:46:58:d0:5e:9d:81:
        b3:67:af:6c:35:f2:bc:e5:3f:24:e2:35:a2:0a:75:06:f6:18:
        56:99:d4:78:2c:d1:05:1b:eb:d0:88:01:9d:aa:10:f1:05:df:
        ba:7e:2c:63:b7:06:9b:23:21:c4:f9:78:6c:e2:58:17:06:36:
        2b:91:12:03:cc:a4:d9:f2:2d:ba:f9:94:9d:40:ed:18:45:f1:
        ce:8a:5c:6b:3e:ab:03:d3:70:18:2a:0a:6a:e0:5f:47:d1:d5:
        63:0a:32:f2:af:d7:36:1f:2a:70:5a:e5:42:59:08:71:4b:57:
        ba:7e:83:81:f0:21:3c:f4:1c:c1:c5:b9:90:93:0e:88:45:93:
        86:e9:b1:20:99:be:98:cb:c5:95:a4:5d:62:d6:a0:63:08:20:
        bd:75:10:77:7d:3d:f3:45:b9:9f:97:9f:cb:57:80:6f:33:a9:
        04:cf:77:a4:62:1c:59:7e

[key 4]
Owner: e58e05e2-5c43-4ef7-880b-3f06734eb36f
SHA1 Fingerprint: 4a:9c:f1:d4:94:7b:8c:df:24:06:91:cf:fc:c9:a6:63:7e:ca:4c:d0
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            34:cc:1b:4e:f3:3d:fd:96:48:bb:8c:a6:8e:67:1d:78
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=GIGABYTE
        Validity
            Not Before: Sep 30 01:55:16 2022 GMT
            Not After : Sep 30 01:55:15 2027 GMT
        Subject: CN=GIGABYTE
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c1:21:24:5c:03:a6:80:db:08:fb:35:2a:47:d7:
                    f7:9a:7b:c8:6d:dd:61:e3:c9:e5:29:dc:03:b3:5e:
                    1f:b6:c5:1c:93:c8:d2:8c:db:c5:9c:b0:90:00:9c:
                    73:31:b7:8c:a8:62:6e:76:48:d4:32:4d:02:b3:b7:
                    04:35:e2:f8:d5:26:4a:13:7d:6c:71:79:a1:00:9b:
                    16:cd:33:0e:37:3a:e2:6b:69:5c:88:2a:20:aa:10:
                    36:d2:e0:e5:57:15:67:bf:9a:32:88:4d:db:9f:6b:
                    5b:57:f3:20:c9:93:0d:54:20:38:8f:f6:23:4a:af:
                    07:1f:4b:ed:7c:6f:dc:d4:01:7e:39:e5:7a:74:f4:
                    53:3d:3d:b8:c5:7a:5b:91:e7:65:23:cd:77:fd:1c:
                    32:93:53:ca:6c:2f:1e:47:5c:c1:42:87:58:29:ae:
                    77:d2:95:5e:fd:87:9f:be:9a:ac:fc:b5:dc:e3:d8:
                    6f:39:f0:b5:4c:5b:cd:94:6e:11:61:86:77:96:8a:
                    d6:f7:ca:08:18:0b:14:4d:4c:6d:e3:68:6a:c4:d4:
                    48:9a:10:6d:c8:9b:a6:80:59:fc:c8:61:6f:d4:18:
                    25:2b:8c:94:e2:f9:98:39:cc:67:ba:9e:a1:84:45:
                    3b:76:62:de:68:22:17:33:af:f9:d4:fb:44:9e:1b:
                    9f:6d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            2.5.29.1: 
                0;..kJ..@;}1."B..p....0.1.0...U....GIGABYTE..b..!&...LK?....a
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        0f:28:db:0b:bd:7d:1f:87:95:67:1d:b3:10:1f:93:01:cc:d2:
        a5:0e:03:66:32:1e:3b:1a:d4:5f:be:c5:33:16:d1:cb:68:1e:
        b4:df:35:a5:04:53:5a:3f:79:3b:b5:4d:88:c4:60:57:5e:a6:
        c1:88:41:76:c8:20:69:22:9d:c7:09:73:e2:bf:43:6e:04:f7:
        3a:2e:fe:78:66:7f:5b:30:99:c1:fc:15:ee:ce:cb:7c:49:94:
        b8:9c:54:cb:17:51:e4:92:4c:56:6b:6c:fc:16:21:87:0a:4b:
        7c:3b:dd:f6:d9:03:37:ff:12:e3:f5:8f:36:02:c5:e1:fb:42:
        56:62:36:3b:ff:fe:ec:c8:09:79:0a:4c:b7:49:2c:40:5c:db:
        1a:cc:65:81:6b:4a:e7:d9:6f:c5:c5:1f:6e:f2:db:1e:a1:f9:
        16:13:37:33:f0:58:11:8a:40:cb:88:43:f7:fd:fe:7a:74:40:
        fb:07:b3:21:70:09:17:0b:99:35:18:2d:07:41:88:f1:ec:a1:
        49:b7:82:78:b6:52:e1:8d:29:e5:7f:c6:a9:27:7f:b4:f2:bf:
        bc:ff:1a:0c:e4:72:15:58:e9:7a:9b:49:4a:bb:f0:a8:9d:69:
        d1:5f:2a:45:24:d2:c8:90:ba:c9:70:cb:92:87:96:53:eb:19:
        67:60:f9:b7:0a:d3:45:a5:59:5f:5f:8e:ec:ac:37:4e:d9:5e:
        fa:4b:0c:38:1d:89:58:d6:a8:d5:04:21:85:a9:be:92:73:b9:
        c8:ad:4d:6d:a6:de:62:7b:f0:c8:e9:74:d2:34:ab:5a:e0:16:
        88:c5:6f:20:7e:fa:62:d5:59:e1:05:aa:91:3f:15:89:dc:82:
        87:74:48:11:bc:b8:b3:68:5d:ec:a3:db:eb:60:f6:da:64:6b:
        fa:99:1c:59:37:8b:51:49:ea:07:46:d5:0a:c5:c6:75:e3:6d:
        a2:7e:9e:12:95:e0:23:8f:03:5f:21:a2:3d:79:ec:15:98:c0:
        ba:b0:8a:36:8d:ef:48:eb:e9:ca:e8:51:0d:99:d0:b3:b5:b1:
        d2:24:47:40:22:f9:d6:cf:fd:19:ae:2d:e5:c3:07:de:b3:28:
        31:b0:a4:97:23:2c:95:b4:c1:1b:0a:6c:d6:b1:bf:63:f7:b4:
        37:b5:19:1d:d3:63:d4:af:54:e7:3f:20:7c:ad:00:be:41:c0:
        bd:66:e9:de:e4:79:c2:b7:f0:6c:33:f9:de:29:6a:8c:f7:03:
        71:a9:62:cd:20:8b:3b:b5:42:73:41:ba:05:9f:c4:16:4b:53:
        ce:00:c4:a0:55:20:47:f2:80:c3:a8:42:00:b9:22:d1:78:82:
        72:90:1c:8e:53:62:30:f8

[key 5]
Owner: e58e05e2-5c43-4ef7-880b-3f06734eb36f
SHA1 Fingerprint: 09:3f:ce:c2:c9:aa:a7:82:37:62:10:dc:e3:fc:dc:da:ec:fb:a2:5e
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
             (Negative)77:75:9b:f8:5a:e4:c5:67:b6:2d:71:d6:f3:d2:4d:a4
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=GIGABYTE
        Validity
            Not Before: Sep  5 06:42:23 2023 GMT
            Not After : Sep  5 06:42:22 2053 GMT
        Subject: CN=GIGABYTE
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:d3:85:69:b1:88:ba:89:21:f9:9b:05:82:ae:b4:
                    ff:48:f5:28:a7:55:49:18:4a:ee:63:e6:43:e8:69:
                    8d:6e:5e:1a:7f:df:cc:7b:1b:54:67:f2:2c:3d:ef:
                    10:54:8b:92:7a:ed:df:e4:7e:66:6e:67:88:66:94:
                    30:6e:60:75:61:52:86:58:e9:6e:fe:b3:37:f9:ef:
                    f5:eb:3c:c6:05:a1:dc:60:bc:05:50:e5:86:ca:56:
                    be:66:b7:83:bb:e5:0f:4c:c4:57:5c:9c:78:07:00:
                    79:49:ac:6e:56:6e:df:9c:d0:8a:0e:e2:23:2f:b8:
                    db:0e:77:cb:73:50:8f:98:bd:2d:2c:7d:ea:7e:9b:
                    7d:71:ec:03:90:83:97:d1:91:97:91:99:5b:31:5d:
                    83:86:87:43:57:1c:21:a6:2c:1f:82:27:82:ab:cd:
                    25:5a:b3:15:f3:c0:f9:cd:78:64:5c:24:71:20:bb:
                    1d:48:02:22:35:43:91:38:24:d6:11:5c:92:1e:76:
                    17:ca:07:8c:2e:50:db:6a:e0:b4:4c:ee:ed:56:76:
                    10:47:a4:e2:8c:0f:dd:f8:72:11:bf:f5:21:c0:0e:
                    28:ee:b9:d3:88:32:20:cc:ff:df:41:dd:f4:b5:04:
                    6e:a5:e6:c2:02:42:39:9c:27:fe:b7:f7:8c:a8:ed:
                    3b:a3:3d:b3:25:e3:8f:68:01:a1:80:ef:af:5a:5d:
                    ca:7f:8b:c8:55:82:e9:fa:fa:03:95:9b:2c:f2:c1:
                    99:11:65:99:20:98:6a:dd:53:70:c2:a6:f6:82:e5:
                    ec:59:34:a4:c2:1d:d9:a5:31:e5:3d:13:09:9f:7b:
                    21:28:e2:c6:75:bd:71:ef:dc:78:19:3c:00:82:2d:
                    04:47:c5:7d:bd:7f:bb:1d:b5:f2:6b:19:14:de:c3:
                    e2:07:c8:fb:4b:8f:15:86:cd:37:bd:6a:0b:03:e4:
                    9d:37:5e:8c:c1:30:41:ea:37:a8:57:ce:5e:4b:01:
                    45:03:9d:b0:21:9f:e8:5f:be:a4:1b:df:0e:6e:64:
                    e6:89:cf:af:42:1c:de:0a:da:0a:a4:84:44:7e:47:
                    c3:86:71:a5:50:33:79:57:53:58:51:62:66:3b:98:
                    5a:72:50:45:5b:8a:fc:dc:99:f8:82:a0:fd:9d:a9:
                    3e:bd:b3:99:36:3c:2a:a9:c2:f9:94:9d:6c:11:69:
                    d2:ae:5b:f3:60:bf:1c:07:d7:6c:22:60:a0:4d:23:
                    ea:ac:a6:4d:fd:10:6c:fd:0d:db:b5:20:e5:f7:10:
                    2c:5c:31:d2:24:03:e6:0d:f4:93:ca:cc:f9:99:1f:
                    85:e3:41:c2:50:44:aa:80:51:2f:a6:36:34:c0:4c:
                    e0:5b:81
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            2.5.29.1: 
                0;..eKf..Mv.))O....F..0.1.0...U....GIGABYTE....W.i...N.'V-..l
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        d3:fc:01:26:26:03:dd:a4:50:c8:03:b0:6f:26:a2:0f:d8:0d:
        f1:44:fb:60:c8:f6:60:81:71:68:7f:6c:61:ce:5c:6a:f3:cb:
        e7:30:86:07:2e:da:1d:4d:b8:36:87:0f:08:98:5c:0b:0d:67:
        cd:9e:62:26:23:35:51:78:32:d8:1a:a7:5e:24:11:c0:cf:03:
        30:af:54:c2:4d:27:ae:55:c3:da:cc:b4:4f:21:99:b5:8e:28:
        c8:7d:3a:5d:31:b2:2a:c3:63:47:46:88:27:d1:6f:6b:f2:18:
        b9:c9:b5:d2:72:96:f5:5c:df:d5:1b:01:d6:71:05:00:bb:ab:
        59:ac:b1:b4:13:d2:29:2d:f9:dd:20:dc:ff:4f:91:57:29:26:
        c9:56:d7:a0:50:22:3e:cb:59:34:c8:91:a3:ba:81:85:a5:00:
        c7:61:bf:45:38:b1:1c:83:24:af:9c:e7:25:9d:b3:89:5b:ab:
        a5:16:8f:26:96:fd:10:f7:a6:2d:a0:91:5d:40:8b:01:1d:54:
        45:05:2a:e6:02:af:d2:a6:62:4d:a4:34:e5:fc:a8:53:fa:4c:
        b8:80:85:63:b4:f2:27:2e:2e:cb:60:de:bf:94:d1:f6:b2:61:
        18:77:ba:ad:5a:89:5e:f1:76:ea:cd:49:d5:01:c2:6c:65:c1:
        d4:b6:51:bd

I’ve just checked couple of options and RN (as a noob) I have only few ideas. I can disabled safety boot, ignore that or set parameter in mokutil to ignore DB validation. Any of them do not sounds as a perfect solution but from the other side it is what it is…

You can simply ignore these messages. Kernel will not trust these certificates for its own drivers, that’s all. Do you have any kernel module provided and signed by GIGABYTE that fails to load?

1 Like

Educated guess - neither of these certificates defines “Digital Signature” usage and so kernel rejects them for the purpose of digitally signing kernel modules.

I was a bit busy,
I see that it looks different than Microsoft signatures but from the other side it do not tell me anything ^^.
I found some articles and blogs about X.509 certificates and TPM and in my free time I will take a look even if i dont need that kind of knowledge.
Once again thanks for help!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.