This article provides steps to verify if the updated Secure Boot certificates are correctly enrolled in the virtual machine's NVRAM. For Windows guests, this involves extracting UEFI variables for binary analysis. For Linux guests, standard utilities are used.

VMware vSphere ESXi 7.0
VMware vSphere ESXi 8.0

To confirm that Secure Boot certificates have been successfully updated, it is necessary to verify the contents directly. Since Windows operating systems retrieve UEFI variables in a raw binary format, specific steps are required to decode the data and inspect the certificate details.

To verify the presence of the new Secure Boot certificates, follow the procedure appropriate for your guest operating system.

Method 1: Verifying on Linux Guest OS

On Linux, the mokutil utility can directly display the Secure Boot keys stored in NVRAM.

1. Log in to the Linux guest OS.

2. Run the following command to verify the KEK or DB.

   sudo mokutil --kek
   sudo mokutil --db
   

3. Inspect the output to confirm that the expected certificates are present. Verify the Issuer, Subject, or Validity dates corresponding to the applied updates.

Method 2: Verifying on Windows Guest OS

Since Windows does not have a built-in utility to display raw certificate details from NVRAM easily, export the data and analyze it using a Linux environment.

Step 2-1: Export UEFI Variable Data (on Windows)

1. Log in to the Windows guest OS with administrator privileges.

2. Open PowerShell and run the following commands to export the KEK or DB data to a binary file.

   $kekData = (Get-SecureBootUEFI -Name KEK).Bytes
   [System.IO.File]::WriteAllBytes("C:\KEK.bin", $kekData)
   

3. Transfer the generated C:\KEK.bin file to a Linux environment that has efitools and openssl installed.

Step 2-2: Analyze the Binary Data (on Linux)

Perform this step on a Linux system (e.g., Ubuntu).

1. Install the necessary tools.

   sudo apt-get update
   sudo apt-get install efitools openssl
   

2. Extract certificates from the binary file. Use the sig-list-to-certs command to split the binary signature list into individual DER-formatted certificate files.

   sig-list-to-certs KEK.bin KEK-cert
   

   If the update was successful, multiple files (e.g., KEK-cert-0.der, KEK-cert-1.der) will be generated. Typically, files with higher index numbers contain the newly added certificates.

3. Inspect the certificate details. Use OpenSSL to display the text content of the extracted DER files.

   openssl x509 -inform DER -in KEK-cert-0.der -noout -text
   openssl x509 -inform DER -in KEK-cert-1.der -noout -text
   

4. Verify the certificate information. Confirm that the output contains the details of the updated certificates.

If the expected certificates are present, the update on the VMware infrastructure side is complete.

Update Method: If the verification reveals that the certificates are missing or not updated, please refer to the following article for manual update instructions:

Manual Update of Secure Boot Variables in Virtual Machines (423919)

Japanese version: 仮想マシンにおけるセキュアブート証明書の確認について(424430)