How to install custom Secure Boot keys

This article covers the process of installing custom secure boot keys on an ASRock BIOS on an HP Omen PC.

Problem

Windows 11 requires Secure Boot to be enabled, which necessitates a signed secure network boot process.  In order to use these signed executables, you must load the public certificate associated with them.

Solution

Install the ggRock Secure Boot certificates.

NOTE:

Each BIOS manufacturer has their own unique procedure to install secure boot certificates - please consult with your motherboard manufacturer for more information.

1. Download the ggRock Secure Boot certificates to a computer and copy them on the root of a freshly formatted USB drive with no other files present.

https://ggrock.com/secureboot/DB.cer
https://ggrock.com/secureboot/DB.crt
https://ggrock.com/secureboot/DB.esl
https://ggrock.com/secureboot/DB.auth

2. Connect the USB drive to one of your machines.

3. Boot your machine to its BIOS configuration utility (Usually F2, F10, F12, or ESC during boot time).

4. Navigate to the "Security" tab, then navigate to the "Secure Boot" menu item and press <Enter>.

2. Enable Secure Boot, if it is not already enabled.

3. Install the default Secure Boot keys supplied with your motherboard (this is typically a built-in feature of your BIOS).

NOTE:

This step is necessary because if at some point during the lifetime of your machine the secure boot keys have been cleared or altered, it may not be possible to successfully boot Windows.

4.  Append the ggRock toolchain certificate to the Database (also may be called "Authorized Signatures").

NOTE:

The same public key can be in different formats.

One of the popular ones is .cer which can be called "Public Key Certificate" or "key certificate blob".

NOTE:

If you are unable to import the ggRock certificate, you may need to use a .esl file which may also be referred to as a "Authenticated variable" or "Uefi secure variable".

a. Within the Secure Boot Security Menu, navigate to the "Key Management" menu item and press <Enter>.

b. Navigate to "Authorized Signatures", and press <Enter> to select the menu item to "Append" to the database.

c. Press <Enter> to select the appropriate Input File Format based on the requirements of your motherboard. 

Your manufacturer may require a specific file type (.cer, or other format) based on the option selected.  If one option does not work, try the other options presented.

NOTE:

For the purposes of this example, "Public Key Certificate" was selected.

d. When prompted, select the "No" button to load certificate files from the attached USB drive

e. Select the attached USB drive containing the ggRock Secure Boot certificate files from the "Select a File system" menu.

f. Select the appropriate certificate file (most likely .crt or .cer) according to your motherboard specifications.

g. From the "Input File Format" menu, select "Public Key Certificate" if you are using the .crt or .cer file format,  or "Authenticated Variable" if you are using the .esl file format.

h. Select the "Yes" button to confirm appending the ggRock Secure Boot certificate to your motherboard's Authorized Signatures database.

5. Confirm successful import of the ggRock Secure Boot Keys.

a. Select the "Details" menu item within the "Authorized Signatures" menu and press <Enter>.

b. Confirm the existence of the "ggRock DB" entry within the "Authorized Signatures" dialog.