During the Secure Boot process, UEFI DB certificates stored in the server firmware are used to validate the signature of the ESX bootloader. The Microsoft Corporation UEFI CA 2011 certificate, the industry standard used to sign third-party UEFI applications (including ESX bootloaders), is scheduled to expire on June 27, 2026. Microsoft has issued the Microsoft UEFI CA 2023 certificates (Microsoft UEFI CA 2023 & Microsoft Option ROM UEFI CA 2023) to replace the expiring 2011 certificate.

This KB outlines how VMware is managing this transition at the physical server layer, to ensure that secure-boot enabled ESXi environments remain operational.

Refer to KB 423893 for guidance on the virtual machine layer.

• VMware ESXi 7.x.
• VMware ESXi 8.x.
• VMware ESX 9.x.

• There is no impact on Secure Boot-enabled ESX hosts, and no immediate action is necessary.
• To support this certificate transition, VMware will deliver a comprehensive solution in a future VCF release designed to ensure firmware readiness during the vSphere lifecycle (both fresh installations and upgrades) while minimizing operational overhead.
• VMware will update this documentation with further information and guidance during the future VCF releases.

Security Note: The expiration of the certificate does NOT create any new security vulnerabilities. The decision to revoke a UEFI Secure Boot certificate (removing it from the DB or adding it to the DBX) is a completely independent security decision, regardless of the certificate expiration.  Specifically, the Microsoft Corporation UEFI CA 2011 is used to validate a wide range of pre-boot components beyond the OS bootloader. This includes, but is not limited to, firmware for hardware components such as RAID controllers, NICs, and HBAs, and independent UEFI applications and diagnostic tools developed by hardware vendors. The server vendors are responsible for these components, including their signature status. Please consult your specific server vendor (e.g., Dell, HPE, Lenovo) to understand the full impact of revoking the Microsoft Corporation UEFI CA 2011 in your environment before proceeding. Revoking this certificate without fully understanding its usage may result in an unbootable system.