The Microsoft Keys

Thanks to Matthew Garrett, we have copies of the keys from the Insyde reference platform.  As expected, the platform key is a self signed X509 certificate with /CN=Insyde/.  You can get it here (signature list, der).

The Key Exchange Key is a Microsoft X509 certificate with /CN=Microsoft Corporation KEK CA 2011/ It’s not self signed, it’s signed by /CN=Microsoft Corporation Third Party Marketplace Root/ you can get it here (signature list, der).

The Signature database contains three microsoft X509 certificates; you can get the signature list here.

  1. /CN=Microsoft Windows PCA 2010/ signed by /CN=Microsoft Root Certificate Authority 2010/ (db.0.cer).
  2. /CN=Microsoft Corporation UEFI CA 2011/ signed by /CN=Microsoft Corporation Third Party Marketplace Root/ (db.1.cer)
  3. /CN=Microsoft Windows Production PCA 2011/ signed by /CN=Microsoft Root Certificate Authority 2010/ (db.2.cer)

The interesting thing to note is that while Insyde owns the PK (as the windows hardware certification requires them to), they have no other certificates in the system, so in secure mode any bios update they do must be signed by a Microsoft key.

3 thoughts on “The Microsoft Keys

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.