Hi all,
firstly I would like to apologize because I completely don’t understand TPM, etc so some of the things here can sound stupid.
I reinstalled openSUSE TW. The point is that now every time when OS is booting I have that message:
Integrity: Problem loading X.509 certificate -22
Integrity: Problem loading X.509 certificate -22
System is fully working (I found some similar topics but there was a problem with booting, etc)
I can “resolve” that problem by removing some of the signing keys from the BIOS. When I do that, then before the system starts booting I have MOK menu…after that I don’t see that message anymore.
Here is a log where you can see that there is a problem only with 2 keys:
integrity: Loading X.509 certificate: UEFI:db
kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
kernel: integrity: Loading X.509 certificate: UEFI:db
kernel: integrity: Loaded X.509 cert 'Microsoft Corporation: Windows UEFI CA 2023: aefc5fbbbe055d8f8daa585473499417ab5a5272'
kernel: integrity: Loading X.509 certificate: UEFI:db
kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
⟶kernel: integrity: Loading X.509 certificate: UEFI:db
⟶kernel: integrity: Problem loading X.509 certificate -22
⟶kernel: integrity: Error adding keys to platform keyring UEFI:db
⟶kernel: integrity: Loading X.509 certificate: UEFI:db
⟶kernel: integrity: Problem loading X.509 certificate -22
⟶kernel: integrity: Error adding keys to platform keyring UEFI:db
kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
kernel: integrity: Loaded X.509 cert 'openSUSE Secure Boot CA: 6842600de22c4c477e95be23dfea9513e5971762'
kernel: Loading compiled-in module X.509 certificates
kernel: Loaded X.509 cert 'openSUSE Secure Boot Signkey: fd9f2c12e599d67cc7f9067541adf426b712469e'
IDK if i can ignore that message or it should to be sorted. At the day when I reinstalled OS I’ve also updated the BIOS and maybe latest version of BIOS have some issue?
I would be grateful for any help, sorry for my language, I hope that everything is understandable.
Linux kernel does not like something in these certificates. It is impossible to say what exactly. Output of
mokutil --list-enrolled
would be interesting.
Hi, thanks for answer.
Here is the output:
Owner: 605dab50-e046-4300-abb6-3dd810dd8b23
SHA1 Fingerprint: 46:59:83:8c:82:03:fe:15:52:ad:19:e1:86:09:db:21:7e:3a:d2:4f
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org
Validity
Not Before: Aug 26 16:12:07 2013 GMT
Not After : Jul 22 16:12:07 2035 GMT
Subject: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:de:df:61:92:7a:a4:fe:83:d1:7d:3b:68:0e:b1:
a7:f0:4e:92:93:fc:47:3e:70:2d:4e:88:dc:9a:9e:
fa:33:b4:a6:db:0e:23:c1:0d:a8:c1:d5:65:04:84:
04:ff:3a:48:18:4f:39:32:e4:ca:4e:f9:04:9e:9f:
0f:cd:20:5d:61:ab:a7:00:d8:a5:ff:2b:7f:be:e8:
47:c3:2f:5b:02:c8:bb:de:8e:1a:e9:46:d3:86:ef:
ff:88:99:90:eb:10:89:b8:8b:3f:3e:a8:07:c6:55:
7a:6e:d3:5f:fc:83:3c:3d:16:ed:26:c5:13:73:92:
b1:70:1e:22:95:c8:00:6c:25:76:46:f1:a2:d9:d0:
b0:98:68:0f:a7:2d:b1:0d:67:89:ca:94:4a:ea:12:
c5:91:55:76:7f:6c:7a:2e:f9:18:89:9f:f8:f4:24:
43:d5:35:6a:cb:00:0e:2e:ed:4b:e2:5d:09:d8:1b:
97:70:99:9e:5a:6f:a6:81:a8:9d:a9:58:76:7d:69:
71:82:d3:ba:3a:96:43:9b:f0:da:15:c6:4e:e9:c8:
15:b9:e9:cb:c7:e4:71:ce:ea:10:1b:6b:c4:2a:70:
01:a9:52:b4:17:de:00:52:cf:7d:e4:fd:0f:4d:03:
18:b2:90:28:d4:6f:c4:ae:56:bc:36:60:49:46:8b:
6b:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
68:42:60:0D:E2:2C:4C:47:7E:95:BE:23:DF:EA:95:13:E5:97:17:62
X509v3 Authority Key Identifier:
keyid:68:42:60:0D:E2:2C:4C:47:7E:95:BE:23:DF:EA:95:13:E5:97:17:62
DirName:/CN=openSUSE Secure Boot CA/C=DE/L=Nuremberg/O=openSUSE Project/emailAddress=build@opensuse.org
serial:01
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
8a:a3:89:c2:8e:d9:f9:82:0b:f3:33:ce:e9:19:17:17:a3:65:
80:cd:33:ae:06:51:56:29:b6:38:87:7b:f4:9d:fc:28:8e:aa:
e0:53:12:0e:3a:60:c7:06:d8:3a:61:76:3b:77:08:f4:94:a4:
8c:7c:47:3a:99:d8:84:9b:17:cc:20:62:2e:e2:76:e4:c6:36:
0d:26:e9:2e:53:35:0a:fb:3a:35:93:45:c3:93:82:c1:0b:f3:
08:e9:57:1f:59:37:a9:d0:6c:69:fb:68:ea:7f:3b:af:d3:f7:
59:27:8e:d4:c7:96:73:f4:0c:0a:f7:3e:e4:af:6c:8c:c7:7a:
6f:09:79:f4:41:1f:e3:6f:11:fb:3e:6c:b1:a0:7b:e4:92:b7:
ca:f9:32:f5:de:c3:b0:73:7d:e3:b3:82:5d:cd:ec:61:dc:fe:
0c:3e:c6:b5:e7:6c:2d:5d:92:73:ff:ed:aa:6a:a9:9b:66:9e:
5e:3a:6d:70:b0:31:c0:ce:df:2f:21:10:68:0c:87:f3:77:a0:
33:31:0a:0f:15:f6:ee:32:88:c5:9a:53:71:cd:0d:1a:a1:28:
89:d0:bf:f6:56:ac:4b:3b:36:06:2b:01:c5:eb:e5:dc:72:83:
3d:94:ac:28:83:13:fb:c1:5d:27:9c:13:f6:32:5f:f6:1f:4a:
b7:3e:53:8a
If I delete 2 GIGABYTE certificate from BIOS(last 2 from the photo), then I don’t have any message when OS is booting. TBH that resolving my problem but It is nice to know why that issue is existing. (I’ve restore keys before I gave you the output mokutil --list-enrolled). From the other side because I don’t know how TPM is working I’m not sure how safe it is to remove any of keys from the BIOS.
With and without that 2 keys certificate the output is the same.
Pierwszy:
the output is the same
Sorry, it should have been
moklist --list-enrolled --db
OK, you identified the incorrect certificates already.
Because these certificates do not comply with Linux kernel requirements. To say anything more, those certificates are needed. Certificates can be extracted in binary form using
mokutil --export --db
Without those certificates the worst thing that can happen - boot time binaries from your manufacturer fail to load if Secure Boot is enabled. I have no idea whether they even exist. I can think about BIOS update for once, or some recovery or diagnostic programs.
You may consider reporting it to the vendor of your motherboard.
1 Like
Thanks for more information…Now i know (I hope so) what I need to find/read.
I can be wrong but I think that it should be mokutil --list-enrolled --db (not moklist --list-enrolled --db).
I start thinking why was OK when I was using Nvidia GPU with closed drivers but with AMD card I have that message (or maybe I ignored it :F). I need to find a time and swap GPU to the old one to check if I get that message.
Anyway, thx for help.
[key 1]
Owner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
SHA1 Fingerprint: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:08:d3:c4:00:00:00:00:00:04
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
Validity
Not Before: Jun 27 21:22:45 2011 GMT
Not After : Jun 27 21:32:45 2026 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a5:08:6c:4c:c7:45:09:6a:4b:0c:a4:c0:87:7f:
06:75:0c:43:01:54:64:e0:16:7f:07:ed:92:7d:0b:
b2:73:bf:0c:0a:c6:4a:45:61:a0:c5:16:2d:96:d3:
f5:2b:a0:fb:4d:49:9b:41:80:90:3c:b9:54:fd:e6:
bc:d1:9d:c4:a4:18:8a:7f:41:8a:5c:59:83:68:32:
bb:8c:47:c9:ee:71:bc:21:4f:9a:8a:7c:ff:44:3f:
8d:8f:32:b2:26:48:ae:75:b5:ee:c9:4c:1e:4a:19:
7e:e4:82:9a:1d:78:77:4d:0c:b0:bd:f6:0f:d3:16:
d3:bc:fa:2b:a5:51:38:5d:f5:fb:ba:db:78:02:db:
ff:ec:0a:1b:96:d5:83:b8:19:13:e9:b6:c0:7b:40:
7b:e1:1f:28:27:c9:fa:ef:56:5e:1c:e6:7e:94:7e:
c0:f0:44:b2:79:39:e5:da:b2:62:8b:4d:bf:38:70:
e2:68:24:14:c9:33:a4:08:37:d5:58:69:5e:d3:7c:
ed:c1:04:53:08:e7:4e:b0:2a:87:63:08:61:6f:63:
15:59:ea:b2:2b:79:d7:0c:61:67:8a:5b:fd:5e:ad:
87:7f:ba:86:67:4f:71:58:12:22:04:22:22:ce:8b:
ef:54:71:00:ce:50:35:58:76:95:08:ee:6a:b1:a2:
01:d5
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.1:
.....
1.3.6.1.4.1.311.21.2:
....k..wSJ.%7.N.&{. p.
X509v3 Subject Key Identifier:
13:AD:BF:43:09:BD:82:70:9C:8C:D5:4F:31:6E:D5:22:98:8A:1B:D4
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
45:66:52:43:E1:7E:58:11:BF:D6:4E:9E:23:55:08:3B:3A:22:6A:A8
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.microsoft.com/pki/crl/products/MicCorThiParMarRoo_2010-10-05.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
35:08:42:ff:30:cc:ce:f7:76:0c:ad:10:68:58:35:29:46:32:
76:27:7c:ef:12:41:27:42:1b:4a:aa:6d:81:38:48:59:13:55:
f3:e9:58:34:a6:16:0b:82:aa:5d:ad:82:da:80:83:41:06:8f:
b4:1d:f2:03:b9:f3:1a:5d:1b:f1:50:90:f9:b3:55:84:42:28:
1c:20:bd:b2:ae:51:14:c5:c0:ac:97:95:21:1c:90:db:0f:fc:
77:9e:95:73:91:88:ca:bd:bd:52:b9:05:50:0d:df:57:9e:a0:
61:ed:0d:e5:6d:25:d9:40:0f:17:40:c8:ce:a3:4a:c2:4d:af:
9a:12:1d:08:54:8f:bd:c7:bc:b9:2b:3d:49:2b:1f:32:fc:6a:
21:69:4f:9b:c8:7e:42:34:fc:36:06:17:8b:8f:20:40:c0:b3:
9a:25:75:27:cd:c9:03:a3:f6:5d:d1:e7:36:54:7a:b9:50:b5:
d3:12:d1:07:bf:bb:74:df:dc:1e:8f:80:d5:ed:18:f4:2f:14:
16:6b:2f:de:66:8c:b0:23:e5:c7:84:d8:ed:ea:c1:33:82:ad:
56:4b:18:2d:f1:68:95:07:cd:cf:f0:72:f0:ae:bb:dd:86:85:
98:2c:21:4c:33:2b:f0:0f:4a:f0:68:87:b5:92:55:32:75:a1:
6a:82:6a:3c:a3:25:11:a4:ed:ad:d7:04:ae:cb:d8:40:59:a0:
84:d1:95:4c:62:91:22:1a:74:1d:8c:3d:47:0e:44:a6:e4:b0:
9b:34:35:b1:fa:b6:53:a8:2c:81:ec:a4:05:71:c8:9d:b8:ba:
e8:1b:44:66:e4:47:54:0e:8e:56:7f:b3:9f:16:98:b2:86:d0:
68:3e:90:23:b5:2f:5e:8f:50:85:8d:c6:8d:82:5f:41:a1:f4:
2e:0d:e0:99:d2:6c:75:e4:b6:69:b5:21:86:fa:07:d1:f6:e2:
4d:d1:da:ad:2c:77:53:1e:25:32:37:c7:6c:52:72:95:86:b0:
f1:35:61:6a:19:f5:b2:3b:81:50:56:a6:32:2d:fe:a2:89:f9:
42:86:27:18:55:a1:82:ca:5a:9b:f8:30:98:54:14:a6:47:96:
25:2f:c8:26:e4:41:94:1a:5c:02:3f:e5:96:e3:85:5b:3c:3e:
3f:bb:47:16:72:55:e2:25:22:b1:d9:7b:e7:03:06:2a:a3:f7:
1e:90:46:c3:00:0d:d6:19:89:e3:0e:35:27:62:03:71:15:a6:
ef:d0:27:a0:a0:59:37:60:f8:38:94:b8:e0:78:70:f8:ba:4c:
86:87:94:f6:e0:ae:02:45:ee:65:c2:b6:a3:7e:69:16:75:07:
92:9b:f5:a6:bc:59:83:58
[key 2]
Owner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
SHA1 Fingerprint: 45:a0:fa:32:60:47:73:c8:24:33:c3:b7:d5:9e:74:66:b3:ac:0c:67
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
33:00:00:00:1a:88:8b:98:00:56:22:84:c1:00:00:00:00:00:1a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
Validity
Not Before: Jun 13 18:58:29 2023 GMT
Not After : Jun 13 19:08:29 2035 GMT
Subject: C=US, O=Microsoft Corporation, CN=Windows UEFI CA 2023
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bc:b2:35:d1:54:79:b4:8f:cc:81:2a:6e:b3:12:
d6:93:97:30:7c:38:5c:bf:79:92:19:0a:0f:2d:0a:
fe:bf:e0:a8:d8:32:3f:d2:ab:6f:6f:81:c1:4d:17:
69:45:cf:85:80:27:a3:7c:b3:31:cc:a5:a7:4d:f9:
43:d0:5a:2f:d7:18:1b:d2:58:96:05:39:a3:95:b7:
bc:dd:79:c1:a0:cf:8f:e2:53:1e:2b:26:62:a8:1c:
ae:36:1e:4f:a1:df:b9:13:ba:0c:25:bb:24:65:67:
01:aa:1d:41:10:b7:36:c1:6b:2e:b5:6c:10:d3:4e:
96:d0:9f:2a:a1:f1:ed:a1:15:0b:82:95:c5:ff:63:
8a:13:b5:92:34:1e:31:5e:61:11:ae:5d:cc:f1:10:
e6:4c:79:c9:72:b2:34:8a:82:56:2d:ab:0f:7c:c0:
4f:93:8e:59:75:41:86:ac:09:10:09:f2:51:65:50:
b5:f5:21:b3:26:39:8d:aa:c4:91:b3:dc:ac:64:23:
06:cd:35:5f:0d:42:49:9c:4f:0d:ce:80:83:82:59:
fe:df:4b:44:e1:40:c8:3d:63:b6:cf:b4:42:0d:39:
5c:d2:42:10:0c:08:c2:74:eb:1c:dc:6e:bc:0a:ac:
98:bb:cc:fa:1e:3c:a7:83:16:c5:db:02:da:d9:96:
df:6b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
AE:FC:5F:BB:BE:05:5D:8F:8D:AA:58:54:73:49:94:17:AB:5A:52:72
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
D5:F6:56:CB:8F:E8:A2:5C:62:68:D1:3D:94:90:5B:D7:CE:9A:18:C4
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
9f:c9:b6:ff:6e:e1:9c:3b:55:f6:fe:8b:39:dd:61:04:6f:d0:
ad:63:cd:17:76:4a:a8:43:89:8d:f8:c6:f2:8c:5e:90:e1:e4:
68:a5:15:ec:b8:d3:60:0c:40:57:1f:fb:5e:35:72:61:de:97:
31:6c:79:a0:f5:16:ae:4b:1c:ed:01:0c:ef:f7:57:0f:42:30:
18:69:f8:a1:a3:2e:97:92:b8:be:1b:fe:2b:86:5e:42:42:11:
8f:8e:70:4d:90:a7:fd:01:63:f2:64:bf:9b:e2:7b:08:81:cf:
49:f2:37:17:df:f1:f9:72:d3:c3:1d:c3:90:45:4d:e6:80:06:
bd:fd:e5:6a:69:ce:b3:7e:4e:31:5b:84:73:a8:e8:72:3f:27:
35:c9:7c:20:ce:00:9b:4f:e0:4c:b4:36:69:cb:f7:34:11:11:
74:12:7a:a8:8c:2e:81:6c:a6:50:ad:19:fa:a8:46:45:6f:b1:
67:73:c3:6b:e3:40:e8:2a:69:8f:24:10:e1:29:6e:8d:16:88:
ee:8e:7f:66:93:02:6f:5b:9e:04:8c:cc:81:1c:ad:97:54:f1:
18:2e:7e:52:90:bc:51:de:2a:0e:ae:66:ea:bc:64:6e:a0:91:
64:e4:2f:12:a8:bc:e7:6b:ba:c7:1b:9b:79:1a:64:66:f1:43:
b4:d1:c3:46:21:38:81:79:4c:fa:f0:31:0d:d3:79:ff:7a:12:
a5:1d:d9:dd:ac:a2:0f:71:82:f7:93:ff:5c:a1:61:ae:65:f2:
14:81:ed:79:5a:9a:87:ea:60:7b:cb:b3:4f:75:34:ca:ba:a1:
ef:a2:f6:a2:80:45:a1:8b:27:81:cd:d5:77:38:3e:ca:4e:dd:
28:ea:58:ba:c5:a0:29:de:86:8c:88:fc:95:27:51:dd:ab:d3:
d0:5b:0d:77:c7:6c:8f:55:d7:d4:a2:0e:5b:e4:34:46:14:16:
1d:e3:1c:d6:6d:99:ad:4c:ec:71:73:2f:ab:ce:b2:b4:29:de:
55:30:53:39:3a:32:8b:f0:ea:9c:88:12:3b:05:68:19:bf:cf:
87:52:10:fb:d6:13:60:f3:41:64:f4:08:57:81:cb:9d:11:a5:
8e:f4:e5:27:f5:a3:3a:ec:e4:3d:4a:b7:ce:f9:88:0d:9f:bd:
ca:6d:d2:4a:bc:58:76:8e:32:04:94:6e:dd:f4:cf:6d:47:6d:
c2:d7:6a:dc:87:71:ea:a4:bf:ef:67:97:9c:b8:c7:80:36:2a:
2a:59:c9:c0:0c:a7:44:a0:73:b5:8c:cf:38:5a:ae:f8:bb:86:
95:f0:44:ad:66:7a:33:ed:71:e4:45:87:83:e5:a7:ce:a2:40:
d0:72:d2:48:00:fa:f9:1a
[key 3]
Owner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
SHA1 Fingerprint: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:07:76:56:00:00:00:00:00:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
Validity
Not Before: Oct 19 18:41:42 2011 GMT
Not After : Oct 19 18:51:42 2026 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:dd:0c:bb:a2:e4:2e:09:e3:e7:c5:f7:96:69:bc:
00:21:bd:69:33:33:ef:ad:04:cb:54:80:ee:06:83:
bb:c5:20:84:d9:f7:d2:8b:f3:38:b0:ab:a4:ad:2d:
7c:62:79:05:ff:e3:4a:3f:04:35:20:70:e3:c4:e7:
6b:e0:9c:c0:36:75:e9:8a:31:dd:8d:70:e5:dc:37:
b5:74:46:96:28:5b:87:60:23:2c:bf:dc:47:a5:67:
f7:51:27:9e:72:eb:07:a6:c9:b9:1e:3b:53:35:7c:
e5:d3:ec:27:b9:87:1c:fe:b9:c9:23:09:6f:a8:46:
91:c1:6e:96:3c:41:d3:cb:a3:3f:5d:02:6a:4d:ec:
69:1f:25:28:5c:36:ff:fd:43:15:0a:94:e0:19:b4:
cf:df:c2:12:e2:c2:5b:27:ee:27:78:30:8b:5b:2a:
09:6b:22:89:53:60:16:2c:c0:68:1d:53:ba:ec:49:
f3:9d:61:8c:85:68:09:73:44:5d:7d:a2:54:2b:dd:
79:f7:15:cf:35:5d:6c:1c:2b:5c:ce:bc:9c:23:8b:
6f:6e:b5:26:d9:36:13:c3:4f:d6:27:ae:b9:32:3b:
41:92:2c:e1:c7:cd:77:e8:aa:54:4e:f7:5c:0b:04:
87:65:b4:43:18:a8:b2:e0:6d:19:77:ec:5a:24:fa:
48:03
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
A9:29:02:39:8E:16:C4:97:78:CD:90:F9:9E:4F:9A:E1:7C:55:AF:53
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
D5:F6:56:CB:8F:E8:A2:5C:62:68:D1:3D:94:90:5B:D7:CE:9A:18:C4
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
14:fc:7c:71:51:a5:79:c2:6e:b2:ef:39:3e:bc:3c:52:0f:6e:
2b:3f:10:13:73:fe:a8:68:d0:48:a6:34:4d:8a:96:05:26:ee:
31:46:90:61:79:d6:ff:38:2e:45:6b:f4:c0:e5:28:b8:da:1d:
8f:8a:db:09:d7:1a:c7:4c:0a:36:66:6a:8c:ec:1b:d7:04:90:
a8:18:17:a4:9b:b9:e2:40:32:36:76:c4:c1:5a:c6:bf:e4:04:
c0:ea:16:d3:ac:c3:68:ef:62:ac:dd:54:6c:50:30:58:a6:eb:
7c:fe:94:a7:4e:8e:f4:ec:7c:86:73:57:c2:52:21:73:34:5a:
f3:a3:8a:56:c8:04:da:07:09:ed:f8:8b:e3:ce:f4:7e:8e:ae:
f0:f6:0b:8a:08:fb:3f:c9:1d:72:7f:53:b8:eb:be:63:e0:e3:
3d:31:65:b0:81:e5:f2:ac:cd:16:a4:9f:3d:a8:b1:9b:c2:42:
d0:90:84:5f:54:1d:ff:89:ea:ba:1d:47:90:6f:b0:73:4e:41:
9f:40:9f:5f:e5:a1:2a:b2:11:91:73:8a:21:28:f0:ce:de:73:
39:5f:3e:ab:5c:60:ec:df:03:10:a8:d3:09:e9:f4:f6:96:85:
b6:7f:51:88:66:47:19:8d:a2:b0:12:3d:81:2a:68:05:77:bb:
91:4c:62:7b:b6:c1:07:c7:ba:7a:87:34:03:0e:4b:62:7a:99:
e9:ca:fc:ce:4a:37:c9:2d:a4:57:7c:1c:fe:3d:dc:b8:0f:5a:
fa:d6:c4:b3:02:85:02:3a:ea:b3:d9:6e:e4:69:21:37:de:81:
d1:f6:75:19:05:67:d3:93:57:5e:29:1b:39:c8:ee:2d:e1:cd:
e4:45:73:5b:d0:d2:ce:7a:ab:16:19:82:46:58:d0:5e:9d:81:
b3:67:af:6c:35:f2:bc:e5:3f:24:e2:35:a2:0a:75:06:f6:18:
56:99:d4:78:2c:d1:05:1b:eb:d0:88:01:9d:aa:10:f1:05:df:
ba:7e:2c:63:b7:06:9b:23:21:c4:f9:78:6c:e2:58:17:06:36:
2b:91:12:03:cc:a4:d9:f2:2d:ba:f9:94:9d:40:ed:18:45:f1:
ce:8a:5c:6b:3e:ab:03:d3:70:18:2a:0a:6a:e0:5f:47:d1:d5:
63:0a:32:f2:af:d7:36:1f:2a:70:5a:e5:42:59:08:71:4b:57:
ba:7e:83:81:f0:21:3c:f4:1c:c1:c5:b9:90:93:0e:88:45:93:
86:e9:b1:20:99:be:98:cb:c5:95:a4:5d:62:d6:a0:63:08:20:
bd:75:10:77:7d:3d:f3:45:b9:9f:97:9f:cb:57:80:6f:33:a9:
04:cf:77:a4:62:1c:59:7e
[key 4]
Owner: e58e05e2-5c43-4ef7-880b-3f06734eb36f
SHA1 Fingerprint: 4a:9c:f1:d4:94:7b:8c:df:24:06:91:cf:fc:c9:a6:63:7e:ca:4c:d0
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
34:cc:1b:4e:f3:3d:fd:96:48:bb:8c:a6:8e:67:1d:78
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=GIGABYTE
Validity
Not Before: Sep 30 01:55:16 2022 GMT
Not After : Sep 30 01:55:15 2027 GMT
Subject: CN=GIGABYTE
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c1:21:24:5c:03:a6:80:db:08:fb:35:2a:47:d7:
f7:9a:7b:c8:6d:dd:61:e3:c9:e5:29:dc:03:b3:5e:
1f:b6:c5:1c:93:c8:d2:8c:db:c5:9c:b0:90:00:9c:
73:31:b7:8c:a8:62:6e:76:48:d4:32:4d:02:b3:b7:
04:35:e2:f8:d5:26:4a:13:7d:6c:71:79:a1:00:9b:
16:cd:33:0e:37:3a:e2:6b:69:5c:88:2a:20:aa:10:
36:d2:e0:e5:57:15:67:bf:9a:32:88:4d:db:9f:6b:
5b:57:f3:20:c9:93:0d:54:20:38:8f:f6:23:4a:af:
07:1f:4b:ed:7c:6f:dc:d4:01:7e:39:e5:7a:74:f4:
53:3d:3d:b8:c5:7a:5b:91:e7:65:23:cd:77:fd:1c:
32:93:53:ca:6c:2f:1e:47:5c:c1:42:87:58:29:ae:
77:d2:95:5e:fd:87:9f:be:9a:ac:fc:b5:dc:e3:d8:
6f:39:f0:b5:4c:5b:cd:94:6e:11:61:86:77:96:8a:
d6:f7:ca:08:18:0b:14:4d:4c:6d:e3:68:6a:c4:d4:
48:9a:10:6d:c8:9b:a6:80:59:fc:c8:61:6f:d4:18:
25:2b:8c:94:e2:f9:98:39:cc:67:ba:9e:a1:84:45:
3b:76:62:de:68:22:17:33:af:f9:d4:fb:44:9e:1b:
9f:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
2.5.29.1:
0;..kJ..@;}1."B..p....0.1.0...U....GIGABYTE..b..!&...LK?....a
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
0f:28:db:0b:bd:7d:1f:87:95:67:1d:b3:10:1f:93:01:cc:d2:
a5:0e:03:66:32:1e:3b:1a:d4:5f:be:c5:33:16:d1:cb:68:1e:
b4:df:35:a5:04:53:5a:3f:79:3b:b5:4d:88:c4:60:57:5e:a6:
c1:88:41:76:c8:20:69:22:9d:c7:09:73:e2:bf:43:6e:04:f7:
3a:2e:fe:78:66:7f:5b:30:99:c1:fc:15:ee:ce:cb:7c:49:94:
b8:9c:54:cb:17:51:e4:92:4c:56:6b:6c:fc:16:21:87:0a:4b:
7c:3b:dd:f6:d9:03:37:ff:12:e3:f5:8f:36:02:c5:e1:fb:42:
56:62:36:3b:ff:fe:ec:c8:09:79:0a:4c:b7:49:2c:40:5c:db:
1a:cc:65:81:6b:4a:e7:d9:6f:c5:c5:1f:6e:f2:db:1e:a1:f9:
16:13:37:33:f0:58:11:8a:40:cb:88:43:f7:fd:fe:7a:74:40:
fb:07:b3:21:70:09:17:0b:99:35:18:2d:07:41:88:f1:ec:a1:
49:b7:82:78:b6:52:e1:8d:29:e5:7f:c6:a9:27:7f:b4:f2:bf:
bc:ff:1a:0c:e4:72:15:58:e9:7a:9b:49:4a:bb:f0:a8:9d:69:
d1:5f:2a:45:24:d2:c8:90:ba:c9:70:cb:92:87:96:53:eb:19:
67:60:f9:b7:0a:d3:45:a5:59:5f:5f:8e:ec:ac:37:4e:d9:5e:
fa:4b:0c:38:1d:89:58:d6:a8:d5:04:21:85:a9:be:92:73:b9:
c8:ad:4d:6d:a6:de:62:7b:f0:c8:e9:74:d2:34:ab:5a:e0:16:
88:c5:6f:20:7e:fa:62:d5:59:e1:05:aa:91:3f:15:89:dc:82:
87:74:48:11:bc:b8:b3:68:5d:ec:a3:db:eb:60:f6:da:64:6b:
fa:99:1c:59:37:8b:51:49:ea:07:46:d5:0a:c5:c6:75:e3:6d:
a2:7e:9e:12:95:e0:23:8f:03:5f:21:a2:3d:79:ec:15:98:c0:
ba:b0:8a:36:8d:ef:48:eb:e9:ca:e8:51:0d:99:d0:b3:b5:b1:
d2:24:47:40:22:f9:d6:cf:fd:19:ae:2d:e5:c3:07:de:b3:28:
31:b0:a4:97:23:2c:95:b4:c1:1b:0a:6c:d6:b1:bf:63:f7:b4:
37:b5:19:1d:d3:63:d4:af:54:e7:3f:20:7c:ad:00:be:41:c0:
bd:66:e9:de:e4:79:c2:b7:f0:6c:33:f9:de:29:6a:8c:f7:03:
71:a9:62:cd:20:8b:3b:b5:42:73:41:ba:05:9f:c4:16:4b:53:
ce:00:c4:a0:55:20:47:f2:80:c3:a8:42:00:b9:22:d1:78:82:
72:90:1c:8e:53:62:30:f8
[key 5]
Owner: e58e05e2-5c43-4ef7-880b-3f06734eb36f
SHA1 Fingerprint: 09:3f:ce:c2:c9:aa:a7:82:37:62:10:dc:e3:fc:dc:da:ec:fb:a2:5e
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
(Negative)77:75:9b:f8:5a:e4:c5:67:b6:2d:71:d6:f3:d2:4d:a4
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=GIGABYTE
Validity
Not Before: Sep 5 06:42:23 2023 GMT
Not After : Sep 5 06:42:22 2053 GMT
Subject: CN=GIGABYTE
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:d3:85:69:b1:88:ba:89:21:f9:9b:05:82:ae:b4:
ff:48:f5:28:a7:55:49:18:4a:ee:63:e6:43:e8:69:
8d:6e:5e:1a:7f:df:cc:7b:1b:54:67:f2:2c:3d:ef:
10:54:8b:92:7a:ed:df:e4:7e:66:6e:67:88:66:94:
30:6e:60:75:61:52:86:58:e9:6e:fe:b3:37:f9:ef:
f5:eb:3c:c6:05:a1:dc:60:bc:05:50:e5:86:ca:56:
be:66:b7:83:bb:e5:0f:4c:c4:57:5c:9c:78:07:00:
79:49:ac:6e:56:6e:df:9c:d0:8a:0e:e2:23:2f:b8:
db:0e:77:cb:73:50:8f:98:bd:2d:2c:7d:ea:7e:9b:
7d:71:ec:03:90:83:97:d1:91:97:91:99:5b:31:5d:
83:86:87:43:57:1c:21:a6:2c:1f:82:27:82:ab:cd:
25:5a:b3:15:f3:c0:f9:cd:78:64:5c:24:71:20:bb:
1d:48:02:22:35:43:91:38:24:d6:11:5c:92:1e:76:
17:ca:07:8c:2e:50:db:6a:e0:b4:4c:ee:ed:56:76:
10:47:a4:e2:8c:0f:dd:f8:72:11:bf:f5:21:c0:0e:
28:ee:b9:d3:88:32:20:cc:ff:df:41:dd:f4:b5:04:
6e:a5:e6:c2:02:42:39:9c:27:fe:b7:f7:8c:a8:ed:
3b:a3:3d:b3:25:e3:8f:68:01:a1:80:ef:af:5a:5d:
ca:7f:8b:c8:55:82:e9:fa:fa:03:95:9b:2c:f2:c1:
99:11:65:99:20:98:6a:dd:53:70:c2:a6:f6:82:e5:
ec:59:34:a4:c2:1d:d9:a5:31:e5:3d:13:09:9f:7b:
21:28:e2:c6:75:bd:71:ef:dc:78:19:3c:00:82:2d:
04:47:c5:7d:bd:7f:bb:1d:b5:f2:6b:19:14:de:c3:
e2:07:c8:fb:4b:8f:15:86:cd:37:bd:6a:0b:03:e4:
9d:37:5e:8c:c1:30:41:ea:37:a8:57:ce:5e:4b:01:
45:03:9d:b0:21:9f:e8:5f:be:a4:1b:df:0e:6e:64:
e6:89:cf:af:42:1c:de:0a:da:0a:a4:84:44:7e:47:
c3:86:71:a5:50:33:79:57:53:58:51:62:66:3b:98:
5a:72:50:45:5b:8a:fc:dc:99:f8:82:a0:fd:9d:a9:
3e:bd:b3:99:36:3c:2a:a9:c2:f9:94:9d:6c:11:69:
d2:ae:5b:f3:60:bf:1c:07:d7:6c:22:60:a0:4d:23:
ea:ac:a6:4d:fd:10:6c:fd:0d:db:b5:20:e5:f7:10:
2c:5c:31:d2:24:03:e6:0d:f4:93:ca:cc:f9:99:1f:
85:e3:41:c2:50:44:aa:80:51:2f:a6:36:34:c0:4c:
e0:5b:81
Exponent: 65537 (0x10001)
X509v3 extensions:
2.5.29.1:
0;..eKf..Mv.))O....F..0.1.0...U....GIGABYTE....W.i...N.'V-..l
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
d3:fc:01:26:26:03:dd:a4:50:c8:03:b0:6f:26:a2:0f:d8:0d:
f1:44:fb:60:c8:f6:60:81:71:68:7f:6c:61:ce:5c:6a:f3:cb:
e7:30:86:07:2e:da:1d:4d:b8:36:87:0f:08:98:5c:0b:0d:67:
cd:9e:62:26:23:35:51:78:32:d8:1a:a7:5e:24:11:c0:cf:03:
30:af:54:c2:4d:27:ae:55:c3:da:cc:b4:4f:21:99:b5:8e:28:
c8:7d:3a:5d:31:b2:2a:c3:63:47:46:88:27:d1:6f:6b:f2:18:
b9:c9:b5:d2:72:96:f5:5c:df:d5:1b:01:d6:71:05:00:bb:ab:
59:ac:b1:b4:13:d2:29:2d:f9:dd:20:dc:ff:4f:91:57:29:26:
c9:56:d7:a0:50:22:3e:cb:59:34:c8:91:a3:ba:81:85:a5:00:
c7:61:bf:45:38:b1:1c:83:24:af:9c:e7:25:9d:b3:89:5b:ab:
a5:16:8f:26:96:fd:10:f7:a6:2d:a0:91:5d:40:8b:01:1d:54:
45:05:2a:e6:02:af:d2:a6:62:4d:a4:34:e5:fc:a8:53:fa:4c:
b8:80:85:63:b4:f2:27:2e:2e:cb:60:de:bf:94:d1:f6:b2:61:
18:77:ba:ad:5a:89:5e:f1:76:ea:cd:49:d5:01:c2:6c:65:c1:
d4:b6:51:bd
I’ve just checked couple of options and RN (as a noob) I have only few ideas. I can disabled safety boot, ignore that or set parameter in mokutil to ignore DB validation. Any of them do not sounds as a perfect solution but from the other side it is what it is…
You can simply ignore these messages. Kernel will not trust these certificates for its own drivers, that’s all. Do you have any kernel module provided and signed by GIGABYTE that fails to load?
1 Like
Educated guess - neither of these certificates defines “Digital Signature” usage and so kernel rejects them for the purpose of digitally signing kernel modules.
I was a bit busy,
I see that it looks different than Microsoft signatures but from the other side it do not tell me anything ^^.
I found some articles and blogs about X.509 certificates and TPM and in my free time I will take a look even if i dont need that kind of knowledge.
Once again thanks for help!
system
Closed
October 19, 2024, 3:17pm
9
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.