The Microsoft UEFI CA 2011 quietly expired on June 27, 2026. If you're running anything with Secure Boot enabled, this is worth five minutes of your time.

What actually breaks

Third-party binaries that were signed only by that CA — things like option ROMs, older third-party bootloaders, or hardware firmware blobs — can fail Secure Boot validation. The machine may refuse to boot, or just silently skip what it can't verify.

The good news: most major Linux distros pushed dual-signed shim binaries in time. Debian, Ubuntu, Fedora — they're all covered. If you've been keeping up with updates, you're probably fine.

Who probably needs to act