Share via

How to Obtain Microsoft Secure Boot Certificate?

Anonymous
2025-01-20T20:58:39+00:00

I’ve read that Microsoft offers a service to analyze and sign non-Microsoft bootloaders so they’re trusted by all “Certified for Windows” PCs. I’m interested in getting my current Linux bootloader signed. I came across this article describing certain requirements. Does anyone know if these are the complete, exhaustive requirements for bootloader approval? Also, are there any estimates regarding the typical lead times and costs involved in obtaining the certificate? Any guidance or firsthand experience would be greatly appreciated!

Windows Server Identity and access Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-01-27T11:13:20+00:00

    Hello Shua Levenberg,

    Thank you for posting in Microsoft Community forum.

    The service you're referring to is likely part of Microsoft's Secure Boot signing process. This allows non-Microsoft bootloaders to be signed so that they are trusted on systems that enforce Secure Boot. The requirements and process can be quite specific.

    Here are some general steps and considerations based on the usual process:

    General Requirements:

    1. PE/COFF Format:

    Your bootloader must be in the PE/COFF executable format.

    1. Authenticode Signature:

    The bootloader must be Authenticode signed by a recognized Certificate Authority.

    1. Adherence to UEFI Specifications:

    The bootloader must comply with UEFI specifications.

    1. Security Practices:

    The bootloader must follow security best practices, including no writable and executable memory regions, and proper handling of user input and errors.

    1. Submission Package:

    You must prepare and submit a package that includes your bootloader, necessary documentation, and evidence of compliance with Microsoft's requirements.

    Lead Times and Costs:

    Lead times and costs can vary depending on several factors, such as the complexity of the bootloader, how quickly you can respond to any requests for more information or adjustments, and the current load on Microsoft's signing services.

    Lead Time:

    The process can take several weeks to several months. It's best to consult Microsoft's official resources or reach out to their support for more precise estimates.

    Costs:

    Costs may include fees for code signing certificates from a trusted Certificate Authority, possible service fees for Microsoft's signing process, and any development or consulting fees if you need assistance ensuring compliance.

    Steps to Get Started:

    1. Prepare Your Bootloader:

    Ensure it meets all the necessary technical and security requirements.

    1. Obtain a Code Signing Certificate:

    Acquire a certificate from a trusted Certificate Authority.

    1. Package and Submit:

    Follow Microsoft's guidelines for packaging and submitting your bootloader for signing.

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    0 comments