Secure Boot is configured in the UEFI Firmware. It prevents rootkits when a computer starts.
Microsoft's initial certificates were issured in 2011. These will expire in June 2026 and October 2026.
Microsoft's new certifices were issued in 2023, and they will expire in 2038.
To determine if secure boot is enabled:
sudo mokutil --sb-state
To view installed certificates and their expiration dates:
sudo mokutil --kek
and
sudo mokutil --db
You can have both the old and new certificates installed.
Currently all my x86 Linux machines have secrure boot turned off. However, I decided that it was a good idea, to update the certificates anyway. To do this in Linux: