SecureBoot certificates

Hello, I was poking around a F38 system to look over the Secure Boot certificates and found something that may warrant attention. sbattach --detach signature /boot/efi/EFI/BOOT/fbx64.efi openssl pkcs7 -inform DER -in signature -text -print_certs > grub-certs.txt Issuer: CN=Fedora Secure Boot CA Validity Not Before: Dec 7 16:04:24 2012 GMT Not After : Dec 5 16:04:24 2022 GMT Subject: CN=Fedora Secure Boot Signer Not after Dec 5, 2022 ??? I think this is expired. But also Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) I think we should be on 3072 or higher at this point. But what about the shim? sbattach --detach signature /boot/efi/EFI/BOOT/BOOTX64.EFI openssl pkcs7 -inform DER -in signature -text -print_certs > shim-certs.txt Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011 Validity Not Before: Sep 9 19:40:20 2021 GMT Not After : Sep 1 19:40:20 2022 GMT This is also expired. Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) And also not big enough. This raises a questions. Has Microsoft updated their certificate? Is it well distributed such that switching to it will not brick systems? Should Fedora get a new shim for Fedora 39? Can the update move to 3072 to be compliant with CNSA 1.0 requirements? And if so, that also means moving to SHA-384. Or did I miss some system-upgrade step that updates the bootloader? TBH, I am surprised by this finding. But we're all busy and it *is* working. Best, -Steve