For most computer users, the words "cryptographic certificate" trigger about as much urgency as a terms-of-service update. But this month, a 15-year-old security keystone built into virtually every Windows and Linux machine is reaching the end of its life — and ignoring it could quietly leave your system's deepest defenses in the dark.
Starting June 24, three Microsoft-signed certificates that underpin Secure Boot will expire. Secure Boot is a UEFI firmware trust chain that verifies the digital signature of every component loaded during system startup, from firmware to the operating system. It runs before Windows even starts loading, checking that the boot loader and early boot components have been signed by a trusted party. Think of it as a bouncer at the door of your PC — one whose license is about to lapse.
The stakes are higher than they might seem, because Secure Boot exists specifically to stop one of the nastiest threats in modern computing: bootkits. Secure Boot is designed to thwart UEFI bootkits, a form of malware that alters the Unified Extensible Firmware Interface before the OS and most other code even loads, making them extremely difficult to detect. Once installed, they typically steal credentials, backdoor the system, or perform other malicious actions — and they survive OS reinstallations. The history of these threats stretches back decades, with real-world attacks like the Kremlin-linked LoJax malware demonstrating just how devastating a boot-level compromise can be.
The fix itself is not dramatic for most users. Microsoft has begun rolling out new 2023 certificates to replace the expiring 2011 ones, and many Windows PCs manufactured since 2024 already have the updated certificates in place. For most home users, this transition happens silently in the background through normal cumulative updates, and the April 2026 Windows update added Secure Boot status information under Device Security so users can confirm the new certificates have been applied. For Linux users, Red Hat has released new versions of the shim bootloader signed with both the 2011 and 2023 keys for all supported RHEL versions, and other major distributions like Ubuntu, Fedora, and Debian have published similar updates to their shim packages.
The concern is not that machines will suddenly refuse to boot on June 24th. Microsoft has clarified that June 24 is not a hard stop for Secure Boot functionality — devices will continue functioning even if they haven't completed the certificate update before the expiration date. The expiration only impacts the ability to sign new binaries, not booting from existing ones. The real risk is subtler: systems that never make the transition will slowly fall behind on future boot-level protections as Microsoft continues to respond to new threats. Older PCs with outdated firmware that cannot receive an update to their Secure Boot database may need to be replaced before the deadline, or formally accepted as an exception with compensating controls. For home users, the message is simple: keep Windows updated, check Device Security for a green checkmark, and let the system do the rest. For Linux administrators and IT teams managing enterprise fleets, a bit more manual attention — and some careful timing around firmware updates — will go a long way toward keeping the bootloader bouncer on the job.
