It is not new key, kernel RPM unconditionally calls “mokutil --import” in postinstall. mokutil checks whether certificate is already present and if not submits enrollment request.
the previous two attempts I just skipped them
So key was not present and mokutil repeated enrollment request again and again.
and could still boot with secure boot enabled
Because file that is verified by firmware (actual initial bootloader) is signed with different key and this key is embedded in firmware of almost every system out there. And initial bootloader embeds kernel signing key. Key that you enrolled is not needed as long as both initial bootloader and kernel come from SUSE.
What do these new keys sign?
They sign kernel binary (vmlinuz UEFI signature) and kernel modules.
Especially since I discovered that a efi binary with two signatures won’t boot, you have to remove the first and then sign it for it to work.
This was bug in specific versions of firmware of specific vendor. To my best knowledge it should in the meantime have been fixed by vendor. There is no restrictions in UEFI specification itself which quite explicitly talks about “list of certificates”.