Secure Boot Certificate

NOTE: Prior to November 12, 2013 the “SUSE SolidDriver Program” was known as the “Partner Linux Driver Program” (PLDP). Though the signing key still reflects the old name, it remains valid as described here.

The kernel module signatures are used when running SUSE Linux Enterprise in UEFI Secure Boot environment. To ensure the integrity of the running kernel, the kernel will only load modules signed with trusted keys.

The key is considered trusted once the user loads the corresponding Secure Boot certificate into a UEFI key database

UEFI Key Database (key db)

The recommended way to enroll a trusted key into the system is to load the certificate into the UEFI firmwares key db. Reference your system documentation or contact your system manufacture for options to add certificates to the key db. Find the SolidDriver certificate here:


If there is no user option to maintain keys in the UEFI key db, the next option is to use the Machine Owner Keys database described in the following section.

Machine Owner Keys (MOK) database.

For systems that do not allow user (system admin) control over the UEFI key database, the Machine Owner Key (MOK) database option can be used. Note: it’s recommended to use the key db if at all possible

The certificate can be enrolled into the MOK by installing the following package:


This package contains the UEFI Secure Boot certificate used to sign modules built in SUSE’s Partner Linux Driver Program. It will install the certificate under /etc/uefi/certs as well as prepare it to be enrolled into the MOK database of the firmware.

Note: The kernel will only load the MOK database when the system is booted in UEFI Secure Boot mode. When not in Secure Boot mode, SolidDriver kernel modules will load, but since the module is signed with a key unknown to the kernel, the kernel will emit a “module verification failed” message and a kernel taint will occur. To prevent that taint, the certificate must be loaded into the UEFI key db manually using the firmware UI.


Install the package using zypper or YaST as you would any other rpm package. After package installation, the system must be rebooted to complete the process of enrolling the key into the UEFI MOK database. At reboot the following UEFI prompt will be displayed on the system console:

Initial Screen with Timeout

This prompt will timeout after 10 seconds and reboot without enrolling the key. Press any key to enter the enrollment process.

Initial Menu

Select Enroll MOK in the menu

Select View Key 0

Select View Key 0 to view the details of the certificate to be enrolled

Key Details

Verify the key details and press any key to continue

Enroll Key

When ready to enroll the key, select Continue


Select Yes to confirm enrollment of the key

Enter Password

Enter the systems root password to authorize the enrollment.


Select Reboot to reboot the system.

The key is now enrolled. To verify this, check the kernel messages after reboot:

# dmesg | grep "Loaded UEFI"
[    3.155012]Loaded UEFI:db cert 'SUSE Linux Enterprise Secure Boot CA: ecab0d42c456cf770436b973993862965e87262f' linked to secondary sys keyring
[    3.155310]Loaded UEFI:MokListRT cert 'SUSE Linux Enterprise Secure Boot CA: ecab0d42c456cf770436b973993862965e87262f' linked to secondary sys keyring
[    3.155556]Loaded UEFI:MokListRT cert 'SUSE Linux Products GmbH: PLDP Secure Boot Signing Key: ced5e22b63eee758a2e16663a4c2c35bbb54e54f' linked to secondary sys keyring

The PLDP Secure Boot Signing Key is in the list of loaded certs. If not, then the key was not enrolled properly.

Using mokutil to list enrolled keys

One can also verify that the certificate is loaded in the MOK database by using the mokutil command:

# mokutil --list-enrolled
[key 2]SHA1 Fingerprint: f3:c0:a7:32:8b:b7:1b:cb:e6:58:16:04:7a:d4:ba:78:ca:52:7c:d2
        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=PLDP Secure Boot Signing Key, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=PLDP Team/
            Not Before: Jul  8 14:10:27 2013 GMT
            Not After : Jan  7 10:03:42 2027 GMT
        Subject: CN=PLDP Secure Boot Signing Key, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=PLDP Team/
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
            X509v3 Subject Key Identifier: 
            X509v3 Authority Key Identifier: 

            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: 
                Code Signing
    Signature Algorithm: sha256WithRSAEncryption


Removing the certificate is similar process to installing it. To remove the certificate from the system, remove the package using zypper or YaST and then reboot the system. At the system console the following UEFI prompt will be displayed:

Shim UEFI key management
  Continue Boot
_ Delete MOK
  Enroll key from disk
  Enroll hash from disk

Move cursor to Delete MOK and hit Enter

[Delete MOK] 
Input the key number to show the details of the key or
type '0' to continue

1 keys(s) in the key list

Type 1 Enter to view the key details and after confirming that the details match the key to be deleted, type 0 Enter

Delete the key(s)? (y/n): 

Type y Enter to delete…

Password: _

Enter the root password of the SUSE Linux Enterprise OS that the Secure Boot certificate package was removed from.

Press a key to reboot system

Now the key should be removed from the MOK database.

MOK Demonstration

The following video is a demonstration of using the mokutil package to manage the Machine Owner Keys.

Direct Download: ogg | mp4

MOK Blacklist (MOKx)

Note: The MOK Blacklist functionality is only supported in SUSE Linux Enterprise Server/Desktop 12 and later.

The MOK blacklist allows the user to forbid particular kernel modules from being loaded as identified by the public key of the module signature.

The usage of MOK blacklist is similar to MOK. Just add --mokx or -X to indicate that it’s a MOK blacklist request.

To add a key:

  1. Create the request with mokutil and type a password (or use the root password with “-P”)
   # mokutil -X --import <key>
  1. Reboot the system and enter the MokManger UI. Select Enroll MOKX and type the password. MokManager will reboot the system again.

  2. Boot the system and check the MOK blacklist with mokutil

   # mokutil -X --list-enrolled