Unable to import certificate on OL8.5 UEK6 server running in VMWare

jtaylor_75

Having an issue importing a cert using mokutil on a OL8.5 UEK6 instance (kernel 5.4.17-2136.305.5.3.el8uek.x86_6) running in VMWare ESXi, 7.0.2, 17867351.

We run

# sudo mokutil --import <cert file>

# Reboot

Mokutil import utility starts, cert appears to import. After reboot cert shows when running 'mokutil --list-enrolled' but does not show as being loaded in dmesg log or in /proc/keys.

We have a virtually identical instance running on Hyper-V, same kernel and all, that is not having this issue. We are able to import the cert on the instance running in Hyper-V and it shows in /proc/keys. Thinking the issue may be specific to VMWare, but we're not sure how? We have tried with secure boot off and on and still have the same issue. This is a public code signing cert for CrowdStrike Falcon Endpoint Protection that we are trying to import. We're reaching out to vendors as well but so far no one has had a solution. Thought I would try here to see if anyone else has seen this?

evanderv

Exact same issue over here. I thought this would have been fixed by UEK6 R3, but the key is not loaded by the UEK.

Booting with a RHCK does actually load the kernel from UEFI, so we're currently moving to RHCK.

The only lead I've been able to find is this: https://docs.oracle.com/en/learn/mokutil-uefi/index.html

It says one should not use mokutil on UEK6R3 because of undisclosed issues. I'm unable to find any documented issue, other than your and my experience.

Sergio-Oracle

I think the documentation is referring to UEK R3 there, not UEK(R)6U3.

Warning: Issues exist when using the MOK utility with UEK R3. If you are using this kernel, do not proceed with this tutorial.

What version of UEK and shim do you have?