Secure Boot in Linux on Asus ExpertBook P5 5405

The Problem

Certain ASUS laptops, including the ExpertBook P5 series (P5405/V5405), lack the necessary Microsoft certificates for Linux to boot with Secure Boot enabled. This creates compatibility issues for Linux users who want to maintain full boot security.

The Solution

This guide provides a method to enable Secure Boot on these laptops by manually installing the required certificates.

Required Certificates

You’ll need two Microsoft UEFI CA certificates:

1. Microsoft UEFI CA 2011 (legacy support)
2. Microsoft UEFI CA 2023 (current)

Both certificates ensure comprehensive compatibility with bootloaders like shimx64.efi and grubx64.efi.

Step-by-Step Guide

1. Download Certificates

First, download both Microsoft UEFI CA certificates from Microsoft’s official sources or trusted certificate repositories. You can download them here:

• Microsoft_UEFI_CA_2011.crt
• microsoft_uefi_ca_2023.crt

2.a) Export to Correct Format

Using Windows (or appropriate tools), export the certificates to:

• Format: Encoded Binary DER X.509 (.CER)

This format is required for the import process.

2.b) or Download them already converted

Alternatively you can download them already converted:

• Microsoft_UEFI_CA_2011.cer
• microsoft_uefi_ca_2023.cer

3. Install Certificates

Use mokutil to import the certificates into your system:

sudo mokutil --import Microsoft_UEFI_CA_2011.cer
sudo mokutil --import Microsoft_UEFI_CA_2023.cer

You’ll be prompted to create a temporary password for each certificate. Remember these passwords for the next step.

4. Reboot and Enroll

1. Reboot your system
2. Enable Secure Boot in BIOS/UEFI settings
3. The MOK Manager will appear on boot
4. Select “Enroll MOK”
5. Enter the temporary passwords you created
6. Confirm the certificate enrollment

5. Verification

After completing the enrollment:

• Your system should boot normally with Secure Boot enabled
• All signed bootloaders will be recognized
• Full boot security is now active

What This Achieves

This method provides:

• ✅ Full boot security with Secure Boot enabled
• ✅ Compatibility with all signed Linux bootloaders
• ✅ Support for both legacy and current certificates
• ✅ No compromise on security

Technical Background

Why This Is Necessary

ASUS ExpertBook P5 laptops ship without the Microsoft certificates that Linux bootloaders are signed with. By manually installing these certificates into the Machine Owner Key (MOK) database, we tell the firmware to trust these signatures.

Certificates Explained

• Microsoft UEFI CA 2011: Legacy certificate, still used by many bootloaders
• Microsoft UEFI CA 2023: Current certificate for newer signed binaries

Installing both ensures maximum compatibility across different Linux distributions and bootloader versions.

Important Notes

Security Considerations

• Only install certificates from trusted sources
• Verify certificate fingerprints when possible
• This method maintains security while enabling Linux compatibility

Alternative Approaches

If this method doesn’t work for you, alternatives include:

• Disabling Secure Boot (less secure)
• Using a distribution with built-in certificate handling
• Contacting ASUS for firmware updates

Conclusion

This guide enables ASUS ExpertBook P5 users to run Linux with full Secure Boot support, maintaining security while ensuring compatibility. The process is straightforward and provides a permanent solution to the certificate issue.

---

Tested on: ASUS ExpertBook P5 5405 Linux Distributions: Ubuntu 24.04. Last Updated: November 2025

🐧🔒