Mitigate Microsoft Secure Boot Certificate Expiration

Introduction

This document describes how to mitigate the upcoming expiration of Secure Boot Certificates as it pertains to Cisco UCS environments.

Background Information

Secure Boot is a foundational security feature built into the Unified Extensible Firmware Interface (UEFI) of modern servers and PCs. It establishes a chain of trust during the boot process by ensuring that only digitally signed and verified software  bootloaders, operating system kernels, and UEFI drivers are allowed to execute. This mechanism protects systems against bootkits, rootkits, and other low-level malware threats.

At the heart of Secure Boot lies a set of cryptographic certificates issued by Microsoft. These certificates are embedded in the UEFI firmware of virtually every server and PC shipped in the last decade, including Cisco UCS (Unified Computing System) servers. They serve as the trust anchors that validate whether a piece of boot-time software is legitimate.

Microsoft has now disclosed that two critical Secure Boot certificates, the Microsoft Windows Production PCA 2011 and the Microsoft UEFI CA 2011 are set to expire on October 19, 2026. This expiration affects the entire hardware ecosystem, and Cisco has acknowledged the impact on its UCS server portfolio under Cisco bug ID CSCwr45526

Problem

What Certificates Are Expiring?

The two certificates at the center of this issue are:

Certificate	Role	Expiration Date
Microsoft Windows Production PCA 2011	Signs and validates Microsoft Windows bootloaders	October 19, 2026
Microsoft UEFI CA 2011	Signs and validates third-party UEFI drivers, option ROMs, and non-Windows bootloaders	October 19, 2026

These certificates are stored in the UEFI firmware Secure Boot key stores:

• db (Signature Database) — Contains trusted certificates used to verify boot-time binaries.
• KEK (Key Exchange Key) — Authorizes updates to the Signature Database.
• PK (Platform Key) — The root of trust, typically owned by the OEM (for example, Cisco).
  
  

• Why Is This a Problem for Cisco UCS Servers?

  Cisco UCS servers—including the B-Series (Blade), C-Series (Rack), and X-Series (Modular) platforms ship with Microsoft 2011 Secure Boot certificates pre-loaded in their UEFI BIOS firmware. When Secure Boot is enabled, the BIOS uses these certificates at every boot cycle to validate:

  • The Windows Server bootloader (For Example, bootmgfw.efi), which is signed by the Windows Production PCA 2011.
  • Third-party UEFI components, such as:
    • Storage controller (RAID) UEFI drivers
    • Network adapter PXE boot ROMs
    • Other PCIe device firmware loaded during POST

  These components are typically signed by the Microsoft UEFI CA 2011.

  What Happens If No Action Is Taken?

  • Windows Server fails to boot 

  • UEFI drivers and option ROMs are rejected 

  These failures do not occur until Microsoft starts signing Windows bootloaders with new certificates. 

Cisco has formally tracked this issue under Cisco bug ID CSCwr45526
This defect acknowledges that:

• UCS server firmware contains the expiring Microsoft 2011 Secure Boot certificates.
• A firmware update is required to introduce the replacement certificates (Microsoft 2023 certificates) into the UEFI key stores.

Solution

Apply Cisco UCS Firmware Updates

Updated firmware for affected UCS platforms that includes the new Microsoft Secure Boot certificates:

New Certificate	Replaces
Microsoft Windows UEFI CA 2023	Microsoft Windows Production PCA 2011
Microsoft UEFI CA 2023	Microsoft UEFI CA 2011

Action Steps:

• Monitor Cisco bug ID CSCwr45526 on the Cisco Bug Search Tool for fixed firmware versions and release timelines.
• Download and deploy the updated firmware when available for your specific UCS platform (B-Series, C-Series, X-Series).
• Use Cisco management tools for firmware Upgrade:
  • Cisco Intersight — For cloud-managed environments, use Intersight firmware management policies to orchestrate updates at scale.
  • Cisco UCS Manager (UCSM) — For domain-managed B-Series and C-Series servers.
  • Cisco IMC (Integrated Management Controller) — For standalone C-Series rack servers.

The table shows the minimum firmware version that includes the fix containing the updated certificates:

1. Standalone Rack Servers (HUU)

Server Model	Firmware Version(s)
UCS C125	4.3.2.260007
UCS C220 M5	4.3.2.260007
UCS C220 M6	4.3.6.260017, 6.0.2.260044
UCS C220 M7	4.3.6.260017, 6.0.2.260044
UCS C220 M8	4.3.6.260017, 6.0.2.260044
UCS C225 M6	4.3.6.260017, 6.0.2.260044
UCS C225 M8	4.3.6.260017, 6.0.2.260044
UCS C240 M5	4.3.2.260007
UCS C240 M6	4.3.6.260017, 6.0.2.260044
UCS C240 M7	4.3.6.260017, 6.0.2.260044
UCS C240 M8	4.3.6.260017, 6.0.2.260044
UCS C245 M6	4.3.6.260017, 6.0.2.260044
UCS C245 M8	4.3.6.260017, 6.0.2.260044
UCS C480 M5	4.3.2.260007
UCS S3260	4.3.6.260017
UCS XE130C M8	6.0.2.260042

---

2. Rack Servers Connected to Intersight (IMC)

IMC Firmware Version
IMC-6.0.2.260044
IMC-6.0.2.260043
IMC-6.0.2.260042
IMC-6.0.2.260040
IMC-6.0.2.260026
IMC-5.4.0.260011
IMC-5.4.0.260010
IMC-5.4.0.260009
IMC-4.3.6.260017
IMC-4.3.2.260007

---

3. IMM Servers

Server Model	Firmware Version(s)
UCS B200 M5	5.4.0.260011
UCS B480 M5	5.4.0.260011
UCS B200 M6	5.4.0.260011, 6.0.2.260040
UCS 210C M6	5.4.0.260009, 6.0.2.260040
UCS 210C M7	5.4.0.260010, 6.0.2.260040
UCS 410C M7	5.4.0.260010, 6.0.2.260040
UCS 210C M8	5.4.0.260010, 6.0.2.260040
UCS 215C M8	5.4.0.260010, 6.0.2.260040
UCS 410C M8	6.0.2.260040

---

4. UCSM Managed Servers

UCSM Firmware Version
4.3(6f) UCSM
6.0(2b) UCSM

Depending on the operating system running on the UCS servers, additional configuration may be required to address the UEFI certificate expiration issue. Cisco recommends consulting the respective OS vendor for guidance on any OS-specific remediation steps.

Revision History

Revision	Publish Date	Comments
1.0	08-Apr-2026	Initial Release