Category: Certificaten

Certificaten

Mitigating Secure Boot Risks in 2026: A Comprehensive Guide

In June 2026 Secure boot certs start to going to expire for physical en virtual machines Servers en Clients. PS not only Windows but also Linux!!

PS. Make sure Client en Servers all installed with latest updates!!

Made a little Risk Assessment:

The expiration and replacement of Microsoft Secure Boot certificates pose a high risk to IT environments. If not properly managed, systems may fail to boot, updates may fail, and security risks may increase. This is particularly critical in automated and virtualized environments.

Key risks:

 Systems failing to boot after updates
 Incompatibility during OS or hypervisor upgrades
 Increased security risks due to outdated certificates

Recommended actions:

1.Update firmware and Secure Boot certificates
2.Test all workloads in a lab environment
3.Update golden images and automation pipelines

A phased rollout and proper validation are essential to prevent disruptions.

1. Scope

This document describes the risks, impact, and mitigations related to the expiration of Microsoft Secure Boot certificates in enterprise environments.

2. Affected Components

 Systems with UEFI firmware (Servers, Desktops, Virtual Machines)
 Microsoft UEFI CA certificates
 Operating Systems (Servers, Clients) (Windows, Linux)
 Automation tools like (Packer, MDT, SCCM)

3. Risk Analysis

Key risks:

 Incompatibility during upgrades
 Security vulnerabilities caused by outdated trust stores
 Errors in automation pipelines
 Firmware incompatibility

4. Risk Matrix

 Upgrade Issues: High
 Security Exposure: High
 Automation Failures: Medium
 Firmware Issues: High

5. Mitigations

 Update firmware on all systems
 Apply Microsoft Secure Boot updates
 Verify Event ID 1808
 Rebuild images with updated certificates
 Perform a phased rollout

6. Validation & Testing

 Test OS boot scenarios
 Validate Secure Boot status
 Verify automation pipelines

7. Conclusion

Changes to Secure Boot certificates must be treated as critical infrastructure updates. Proper preparation, testing, and phased implementation are essential to avoid disruptions.

.Microsoft has released patch’s for the following OS.

Windows 11 (23H2/24H2/25H2)
Windows Server 2016/2019/2022/2025.

VMware is creating a “Fix or Update” for this

* I did not test versions with extended support like Windows 2012 R2 and Windows 10.

Simplified Fix Secure Boot Script for Easy VM Updates

Get your list with:
Get-VM | Where-Object { $_.ExtensionData.Config.Firmware -eq “efi” -and

$_.ExtensionData.Config.BootOptions.EfiSecureBootEnabled } | Select-Object Name,

   @{N=”OS”;E={$_.ExtensionData.Guest.GuestFullName}},  PowerState

There is a updated coming from VMware by Broadcom: Check this article:     @{N=”OS”;E={$_.ExtensionData.Guest.GuestFullName}},  PowerState

https://knowledge.broadcom.com/external/article/423893

Extra Info

Microsoft Info:

I hope that most People have Read: Windows Secure Boot certificate expiration and CA updates

and Secure Boot playbook for certificates expiring in 2026

Redhat:
Secure Boot Certificate Changes in 2026: Guidance for RHEL Environments

Broadcom:
Secure Boot Certificate Expirations and Update Failures in VMware Virtual Machines

Manual Update of the Secure Boot Platform Key in Virtual Machines





Simplified Fix Secure Boot Script for Easy VM Updates

I recently created 3 version of a FixSecureBoot script — a lightweight alternative inspired by the excellent work of haz-ard-9, the author of FixSecureBootBulk.ps1. Their script is powerful and absolutely the right choice if you rely on BitLocker or need a fully automated, safety‑first workflow.

However, at roughly 3,000 lines of code, the original script is understandably complex. It includes many checks and safeguards, which are great for production environments but made it harder for me to fully understand what was happening under the hood. I wanted something simpler, easier to read, and tailored to my own workflow.

So I took the time to study the original script, copied only the parts I needed, and built a much more compact version that gives me exactly the result I want — which show the verification step that every thing is correct updated.

What My Script Does

Here’s the full sequence of actions my simplified script performs:

1.Shuts down the VM
2.Creates a snapshot
3.Enables UEFI Setup Mode
4.Clears VMRAM (for older VMs)
5.Upgrades virtual hardware if the VM is below version 21 (vSphere 8)
6.Starts the VM and waits for VMware Tools
7.Checks that the guest OS is fully online
8.Downloads the required certificates (only once)
9.Uploads the two certificates to the VM if not exist
10.Installs the new boot certificates
11.Shuts down the VM and clears Setup Mode
12.Boots the VM and sets AvailableUpdates to 0x5944 (certs ready for install)
13.Reboots until AvailableUpdates becomes 0x4100 (may require multiple reboots)
14.Reboots and runs Secure-Boot-Update again
15.Reboots and runs Secure-Boot-Update again, then checks for Event ID 1808 (if found, everything is good)

I’ve tested this workflow successfully on:

 Windows 11 (23H2, 24H2, 25H2)
 Windows Server 2016, 2019, 2022, and 2025

Downloads
** link the links for downloading the original files from Microsoft Github page.

WindowsOEMDevicesPK.der
microsoft corporation kek 2k ca 2023.der

Rename microsoft corporation kek 2k ca 2023.der to kek2023.der

.

Current Limitation: Packer Integration

CLEAN PACKER BUILD IS NOT SAFE!! AFTER THE BUILD YOU NEED TO RUN FIX SECURE BOOT!!

I don’t yet have a complete fix for integrating this into a full Packer build. For now, I simply pre‑stage the certificates:

Build file:

provisioner “file” {

source = “./setup/SecurebootCert/”

destination = “C:/Windows/Temp”

}

I have build three versions:

Fix_Secure_Boot_Manual.ps1
Fix_Secure_Boot_Single.ps1
Fix_Secure_Boot_Multi.ps1

If you want a script that’s easier to read, easier to modify, and still gets the job done (as long as you’re not using BitLocker), this simplified version might be exactly what you need.

Let me know if you want me to share the script itself or write a follow‑up post about how it works internally.
.

.

Template Check if al ready Updated

If VM check if al ready updated

.

Run Script full from Template
.

Pages: Page 1, Page 2

Windows Server Hybrid Administrator Associate certification

Microsoft announced the addition of the Windows Server Hybrid Administrator Associate certification to our portfolio, to be released in early December 2021. This new certification validates the skills of administrators working in hybrid environments.

Administrators in this role support their teams and organizations using Windows Server—both in the cloud and on-premises/

The Windows Server Hybrid Administrator Associate certification

You’ll need to pass two exams to earn this certification. These exams, Exam AZ-800 (beta): Administering Windows Server Hybrid Core Infrastructure and Exam AZ-801 (beta): Configuring Windows Server Hybrid Advanced Services, will be available in early December 2021.

Migrate a certificate authority from Windows 2008 R2 to Windows 2012

Today I was moving my testlab enterprise root CA from a Windows 2008 r2 server to a new Windows 2012 with a different server name. To accomplish this, I used this excellent Technet Post . I encountered no problems!

Create Internal Wildcard Certificate

I created I internal wildcart Certificate. This i ideal when you want do some testing and you not any certificate from a Third-Party.

You must have a internal CA Winking smile

Open IIS

Go to Server Certificates

Choise Create Domain Certificate

image

image

image

Now you can export this Certificate Smile.

Very handy when you want to test Exchange 2013 & TMG or any other product.

Create a Self-Signed Certificate using SSL Diagnostics Tool

Handige tooltje om snel en simpel een Self-Signed Certificate te maken: SSL Diagnostics . Download setup.exe
http://www.microsoft.com/downloads/details.aspx?familyid=CABEA1D0-5A10-41BC-83D4-06C814265282&displaylang=en

Installeer het tooltje en start het programmatje op. In het hoofd scherm van SSL Diagnostics, rechter muis knop op Website naam (IIS moet wel draaien) (Te zien bij W3SVC/<site naam>), en klik op Create New Cert.

clip_image002

Handige Trukjes van Makecert.exe om te weten

Creating X.509 Certificates using makecert.exe

Creating x.509  certificates is a very common task. Unfortunately the knowledge how to do it is quite rare. If you want a certificate that the whole world would trust you need to buy one, but if you need it for your own use you can create it using a tool called MakeCert.exe

After downloading the tool you have to perform the following procedure:

Creating a Root Certificate Authority

makecert.exe -n "CN=My Root CA,O=Organization,OU=Org Unit,L=San Diego,S=CA,C=US" -pe -ss my -sr LocalMachine -sky exchange -m 96 -a sha1 -len 2048 -r My_Root_CA.cer

Import Root Certificate Authority Certificate into Trusted Root Store

certutil.exe -f -addstore Root My_Root_CA.cer

Create Backup (Export) PFX file of Root Certificate Authority Certificate

certutil.exe -privatekey -exportpfx "My Root CA" My_Root_CA.pfx

Create a Server Certificate issued from the previously created Certificate Authority

makecert.exe -n "CN=Server" -pe -ss my -sr LocalMachine -sky exchange -m 96 -in "My Root CA" -is my -ir LocalMachine -a sha1 -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 Server.cer

Create Backup (Export) PFX file of Server Certificate

certutil.exe -privatekey -exportpfx "Server" Server.pfx

Create a Computer certificate issued from the previously created Certificate Authority

makecert.exe -n "CN=Computer" -pe -ss my -sr Localmachine -sky exchange -m 96 -in "My Root CA" -is my -ir LocalMachine -a sha1 -eku 1.3.6.1.5.5.7.3.2 Computer.cer

Create Backup (Export) PFX file of Computer Certificate

certutil.exe -privatekey -exportpfx "Computer" Computer.pfx

OID Reference

Encrypting File System (1.3.6.1.4.1.311.10.3.4)

Secure Email (1.3.6.1.5.5.7.3.4)

Smart Card Logon (1.3.6.1.4.1.311.20.2.2)

Client Authentication (1.3.6.1.5.5.7.3.2)

Server Authentication (1.3.6.1.5.5.7.3.1)

IP security IKE intermediate (1.3.6.1.5.5.8.2.2)

Creating a Self-Signed SSL Certificate met MakeCert.exe

Waar vind je certificaten op je PC

Ik begin even met de basis Als u toepassingen gaat ontwikkelen die certificaten vereisen, zult u moeten weten waar de certificaten worden opgeslagen, evenals hoe te om de beheersinterface te navigeren. Er is een MMC (Microsoft Management Console) op elke pc aanwezig. Vanuit deze management console kunt u certificaten beheren. Certificaten kunnen opgeslagen worden worden onder Gebruikers Account of op de lokale Machine Opslag.

Voer de volgende stappen uit om Certificaten te laden uit de lokale computer account. Certificaten Management Console Openen.

1. Start à Uitvoeren

2. MMC

3. Bestand à Module Toevoegen / Verwijderen

4. Toevoegen

5. Certificaten

6. Computeraccount

7. De lokale PC waar deze wordt op uitgevoerd. à Voltooien

8. Sluiten à Ok
clip_image002

Je kunt de certificaten management console opslaan. Dit doe je op de volgende manier.
Bestand à Opslaan Als à Noem het certificaten.msc.

Sla het bestand bijvoorbeeld op je Desktop.

Als je Certificaten uit klikt (Lokale Gebruiker, Lokale Computer). Dan zie je certificaten opslagen

Personal. Here you store certificates for which you have the associated private key.

Trusted Root Certification Authorities. This store lists the Third-Party Root Certification Authorities (Thawte, Verisign, etc.), Microsoft root certificates, and your own root certificates for self-signed certificates.

Trusted People. Here you place your trusted certificates (you must also trust the entire chain of certificates).

Hoe kan ik mijn eigen test ssl certificaten aan maken voor websites of voor overige web diensten om het te beveiliging.

Dit is de meest gevraagde vraag die ik heb gehoord. Het is niet altijd gemakkelijk om een beknopte lijst van stappen te vinden om voor het creëren van certificaten te volgen. Er zijn drie populaire benaderingen van het produceren van certificaten voor testende doeleinden:

1.     Vraag een testcertificaat bij een certificaatgezag (CA), zoals Verisign. Deze zijn meestal 90 dagen geldig.

2.     Verstrek CA. uw eigen certificaten van uw Server 2003 Certificaat Server.
http://www.petri.co.il/install_windows_server_2003_ca.htm
http://www.petri.co.il/obtain_digital_certificate_from_online_ca.htm

3.     Produceer certificaten gebruikend makecert.exe.
4. Maak een Self-Signed Certificate gebruik makend van de SSL Diagnostics Tool

Het makkelijkste is makecert.exe te gebruiken. Dit hulpmiddel wordt geïnstalleerd tijdens de installatie van .NET Framework SDK (2.0 en 3.0 beide bevat makecert.exe).

MSDN verteld hoe u certificaat kunt maken (zie http://msdn2.microsoft.com/en-us/library/bfsktky3.aspx).


Het creëren van een SSL Certificaat

Om een Self-Signed SSL Certificate te creëren kunt u het volgende commando makecert.exe gebruiken.

makecert -r -pe -n "CN=www.wardvissers.nl" -b 01/01/2000 -e 01/12/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 c:localhost.cer

The subject name “localhost” makes it possible to browse without errors to http://localhost or any path relative to it. The subject name of the SSL certificate must match the domain or machine name used in the path to access the site. If you used your machine name to browse to Web sites on your machine, for example http://idesign/, you’d create the certificate with the subject name “CN=idesign”. Best use is enter de FQDN like: webmail.wardvissers.nl


makecert.exe opties

Hier onder staat een lijst met opties om een goede Self-Signed SSL Certificaten te maken.


Option

Description

-n certName

The subject name for the certificate. This is a distinguished name following the X.500 specification. It can be as simple as “CN=localhost” or include a richer description of the subject with “CN=localhost, O=IDesign, OU=Architecture, E=mlb@idesign.net”.

-pe

This allows the private key to be exported after generating it. It is a good idea to generate the private key pair and export the certificate to apply password protection, even if it is a test certificate.

-sr

Certificate store location where the key will be generated. It doesn’t matter which store you choose, because you will likely export the key pair, password protect it, and then import it to the correct store for use. Values can be currentuser or localmachine.

-ss

Which logical store will the certificate be installed in? Specify “My” here; this will place it in the Personal logical store.

-sp

The cryptography provider to use. A list of possible providers can be found here: http://windowssdk.msdn.microsoft.com/en-us/library/ms731160.aspx. The “Microsoft RSA SChannel Cryptographic Provider” is not subject to government restrictions for usage.

-sy

Cryptography provider type; an integer representative of the provider setting for the -sp option. Use the value 12 for the “Microsoft RSA SChannel Cryptographic Provider”.

-r

Indicates a self-signed certificate.

-sky certType

Can be signature or exchange. Use exchange for SSL and secure messaging.



Het uitvoeren van het Certificaat

De bedoeling is om .pfx (Certificaat + Wachtwoord) en een cer op te slaan voor later gebruik.

De .cer heb je al opgeslagen tijdens het aanmaken van het certificaat.
Via de Certificaten console kun je .pfx bestand exporteren.

Hoe je dat doet zie je hieronder:

RechterMuis op het Certificaat en dan Alle Taken à Exporteren

clip_image004
clip_image006

clip_image008

clip_image010

clip_image012

clip_image014

clip_image016
clip_image018
Voorbeeldje van de melding die je krijgt.

clip_image019

Translate »