Thanks to Matthew Garrett, we have copies of the keys from the Insyde reference platform. As expected, the platform key is a self signed X509 certificate with /CN=Insyde/. You can get it here (signature list, der).
The Key Exchange Key is a Microsoft X509 certificate with /CN=Microsoft Corporation KEK CA 2011/ It’s not self signed, it’s signed by /CN=Microsoft Corporation Third Party Marketplace Root/ you can get it here (signature list, der).
The Signature database contains three microsoft X509 certificates; you can get the signature list here.
- /CN=Microsoft Windows PCA 2010/ signed by /CN=Microsoft Root Certificate Authority 2010/ (db.0.cer).
- /CN=Microsoft Corporation UEFI CA 2011/ signed by /CN=Microsoft Corporation Third Party Marketplace Root/ (db.1.cer)
- /CN=Microsoft Windows Production PCA 2011/ signed by /CN=Microsoft Root Certificate Authority 2010/ (db.2.cer)
The interesting thing to note is that while Insyde owns the PK (as the windows hardware certification requires them to), they have no other certificates in the system, so in secure mode any bios update they do must be signed by a Microsoft key.
Thanks for this post, it was key in my getting Fedora 20 to boot Windows 8.1 inside a QEMU VM with secure-boot enabled and OEM pre-activation 😀
Just another thanks. Used it to get Win 8.1 working in Ubuntu 14.10
Where can I get it from Microsoft’s .key file?