Appendix - Secure Boot Activation and Deactivation

This section provides instructions on how to enable/disable the Secure Boot feature in UFM Enterprise Appliance. 

Enabling Secure Boot

The NVIDIA public certificate needs to be imported to the Machine Owner Key DB (MOK DB) before enabling secure boot. To do so, follow the below steps:

Add NVIDIA Certificate to MOK DB

1. Download NVIDIA certificate nv_nbu_kernel_signing_key_pub.der to a temporary folder. 
   checksums:
   MD5: 18edca2680c471f892b1357669a0c65e
   sha256: a551489d397171860178f0cd1eb4760560e5c84e60efb8954ad71f1875570d22

   Bash

   cd /tmp
   wget https://www.mellanox.com/downloads/ofed/nv_nbu_kernel_signing_key_pub.der
   ls -ltrh ./nv_nbu_kernel_signing_key_pub.der
   

   Example:

   root@ubuntu:/tmp# ls -ltrh nv_nbu_kernel_signing_key_pub.der
   -rw-r--r-- 1 root root 1.5K Apr   3   2023 nv_nbu_kernel_signing_key_pub.der
   

2. Import the nv_nbu_kernel_signing_key_pub.der to MOK DB using mok-util:

   Bash

   cd /tmp
   mokutil --import ./nv_nbu_kernel_signing_key_pub.der --root-pw
   

   The certificate is in the enrolled queue at this point. Upon the next server reboot, a 10 second prompt appears at the start of the boot process to confirm the certificate addition. It is important to confirm the certificate addition at this stage. Failure to do so requires you to repeat the procedure.
   To be able to interact with the prompt, a console connection is needed either from the serial port or from the web console available via Remote Management.

   
   Verify the certificate in the enrolled queue:
   

   Bash

   mokutil --list-new
   

    HAL Fingerprint: be:29:c0:a2:e9:c3:6a:0a:fe:24:9d:2e:f8:8b:a4:41:9d:55:31:04 Certificate:
   	Date:
   		Version: 3 (0x2)
   		Serial Number: 15:e9:8c:9b:f7:93:20:30:4a:c6:90:ef:35:f5:e2:6c:f2:f8:3d:dc
   		Signature Algorithm: sha256WithRDSEncryption
           Issuer: 0=Mellanox Technologies, CN=Mellanox Technologies signing key/emailAddress=support@mellanox.com  
   

3. Login to Remote Management via https://<iDRAC-ip address>

4. To open the virtual web console, click on "Dashboard"→"Virtual Console" 
   

   1. 

   
   

   
   
   
   

5. Power cycle the server (at boot startup a 10 second prompt appears to verify the certificate addition)
   On the top menu, go to "Power"→"Reset System (warm boot)" and confirm the action.

   

6. The server will now reboot.
   
   

7. At boot startup, a confirmation prompt appears to verify certificate addition. The prompt closes after 10 seconds, so if missed, the certificate addition procedure needs to be done again.
   When the prompt appears, press any key to interact.
   
   

   

   
   
   
   

8. Navigate to "Delete MOK"
   

   

   
   
   

9. View the certificate to be enrolled. To verify, press "View key0".
   

   

   
   
   

   
   

10. Press "Enter" to exit the view.
    
    

11. Select "Continue" from the menu and press Enter.
    
    

    

    
    
    

    
    
    

12. Select "Yes" from the menu, and press Enter.
    
    

    

    
    
    

    
    
    

13. A password prompt appears, then, enter the OS Root user credentials. 
    

    
    

    

14. Select "Reboot" and press Enter. After the reboot is completed, the certificate is removed.

    

    
    

Enable Secure Boot

1. Login to Remote Management available via https://<iDRAC-ip address>

2. Navigate to "Configuration" → "BIOS Settings" → "System Security" and press the drop down menu (arrow). 

   

   
   
   

3. Scroll down to "Secure Boot" and select "Enabled" from the drop menu. Click the "Apply" button. 

   

   
   
   

   
   
   

4. Scroll to the bottom of the page and click on "Apply And Reboot" button, this will reboot the server and perform the configuration. 

   

   
   
   

   
   
   

5. An Information Popup is prompted. Click on the "Job Queue" button (can also be navigated from "Maintenance" → "Job Queue"). 

   

6. Wait for the Jobs to finish and reach 100%. 

   

   
   

7. Validate that secure boot is enabled and active (from the terminal)

   mokutil --sb-state

8. Example: 
   

   root@ubuntu:~# mokutil --sb-state
   SecureBoot enabled

   mokutil --list-enrolled | grep -i mellanox

   
   

   root@ubuntu:~# mokutil --list-enrolled | grep -i mellanox
           Issuer: 0=Mellanox Technologies, CN=Mellanox Technologies signing key/emailAddress=support@mellanox.com
   		Subject: 0=Mellanox Technologies, CN=Mellanox Technologies signing key/emailAddress=support@mellanox.com

Disable Secure Boot

Secure Boot needs to be disabled prior to removing the NVIDIA public certificate.

The removal of the certificate is optional and can be skipped if secure boot should be re-enabled at some point in the future.

Disable Secure Boot in the BIOS

1. Login to Remote Management (https://<iDRAC-ip address>

2. Navigate to "Configuration" → "BIOS Settings" → "System Security" and press the drop menu (arrow). 
   

   

   
   

   
   
   

3. Scroll down to "Secure Boot" and select "Disabled" from the drop menu, and click the "Apply" button. 

   

   
   

   
   
   

4. Scroll to the bottom of the page and click on the "Apply And Reboot" button; this will reboot the server and perform the configuration. 

   

   
   

   
   
   

5. An Information Popup is prompted. Click on the "Job Queue" button (can also be navigated from "Maintenance" → "Job Queue").
   

   

   
   

   
   
   

6. Wait for the completion of the jobs (reach 100%).  

   

   
   
   

7. Validate that secure boot is Disabled (from the terminal).

   Bash

   mokutil --sb-state
   

   
   

   root@ubuntu:/tmp 1s -|trh mlnx_signing_key_pub.der
   -rw-r--r-- 1 root root 1.5K Feb 23  2017 mlnx_signing_key_pub.der
   

Remove the NVIDIA Certificate from MOK db 

Perform this step if you want to entirely remove NVIDIA's certificate from MOK DB. This step is optional and is not required to disable secure boot. Skip this if you wish to enable secure boot at a later time.

1. Login as root to the UFM server.

2. Check current enrolled certificates.

   Bash

   mokutil --list-enrolled 
   

   Search for "Issuer: O=Mellanox Technologies.." and note the key ID above the start of this certificate:

   root@ubuntu:~# mokutil --sb-state
   SecureBoot enabled
   

3. Download the mlnx_signing_key_pub.der to a temporary folder (the DER certificate file must be present to be deleted). If the certificate is not available, it can be exported.

   Bash

   ct /tmp
   wget https://www.mellanox.com/downloads/ofed/nv_nbu_kernel_signing_key_pub.der
   

   Or export from current keys (all the keys are named MOK-000X.der) and search the NVIDIA certificate.

   Bash

   cd /tmp
   mokutil --export 
   grep "Mellanox" MOK-0*
   

   root@ubuntu:~# mokutil --list-enrolled | grep -i mellanox
           Issuer: 0=Mellanox Technologies, CN=Mellanox Technologies signing key/emailAddress=support@mellanox.com
   		Subject: 0=Mellanox Technologies, CN=Mellanox Technologies signing key/emailAddress=support@mellanox.com
   

   
   Validate the certificate:

   Bash

   openssl x509 -inform der -in MOK-0002.der -noout -issuer
   

   
   

   root@ubuntu:~# openssl x509 -inform der -in M0K-0002.der -noout -issuer
           Issuer: 0=Mellanox Technologies, CN=Mellanox Technologies signing key/emailAddress=support@mellanox.com
   

   
   

   
   

4. Remove the certificate from the MOK db. The below example lists MOK-0002.der, the naming convention might be different.

   Bash

   mokutil --delete ./MOK-0002.der --root-pw
   

   The above can be validated by running 

   Bash

   mokutil --list-delete
   

   
   

   Bash

   HAL Fingerprint: be:29:c0:a2:e9:c3:6a:0a:fe:24:9d:2e:f8:8b:a4:41:9d:55:31:04 Certificate:
   	Date:
   		Version 3 (0x2)
   		Serial Number: 15:e9:8c:9b:f7:93:20:30:4a:c6:90:ef:35:f5:e2:6c:f2:f8:3d:dc
   		Signature Algorithm: sha256WithRDSEncryption
           Issuer: 0=Mellanox Technologies, CN=Mellanox Technologies signing key/emailAddress=support@mellanox.com 
   

    

   The certificate is in the enrolled queue at this point. Upon the next server reboot, a 10 second prompt appears at the start of the boot process to confirm the certificate addition. It is important to confirm the certificate addition at this stage. Failure to do so requires you to repeat the procedure.
   To be able to interact with the prompt, a console connection is needed either from the serial port or from the web console available via Remote Management.

5. Login to Remote Management (https://<iDRAC-ip address>

6. click on "Dashboard"→"Virtual Console" to open the virtual web console. 

   Scroll conditional content

   1. 

   xdr
   Scroll conditional content

   
   

   xdr_dc
   
   
   

7. Power cycle the server (at boot startup, a 10 second prompt appears to verify the certificate deletion).
   On the top menu: "Power" → "Reset System (warm boot)".

   

8. The server now performs reboot.
   
   

9. Once the startup procedure begins, a confirmation prompt appears to verify certificate deletion. The prompt closes after 10 seconds, if missed, the certificate deletion procedure needs to be repeated.
   Once the prompt appears, press any key to interact.

   

   
   
   

   
   
   
   

10. Navigate to "Delete MOK". 

    

    
    
    
    

11. View the certificate to be deleted. To verify, press "View key0".

    

12. Press "Enter" to exit the view.
    
    

13. Select "Continue" from the menu and press the Enter key.

    

    
    
    
    

14. Select "Yes" from the menu and press the Enter key.
    

    

    
    
    

    
    
    

15. Once a password prompt appears, enter the OS root user credential. 

    
    

    
    

16. Select "Reboot" from the menu and press Enter. Upon reboot completion, the certificate is removed.

    

    
    
    

Last updated: February 05, 2026