On Tue, Aug 3, 2021 at 12:02 PM Freek de Kruijf <freek@opensuse.org> wrote: ...
Install or force reinstall openSUSE-signkey-cert, reboot, perform certificate enrollment in MokManager screen. The password MokManager expects is operating system root user password.
Or if package is already installed just manually create enrollment request using
mokutil --import /etc/uefi/certs/BDD31A9E-kmp.crt
it will ask for password to use in MokManager. Reboot, confirm certificate enrollment in MokManager screen.
https://en.opensuse.org/openSUSE:UEFI#Enroll_MOK_certificate_with_mokutil_.2 8x86.2A_only.29
I tried this procedure, but did not succeed.
Which of the two procedures listed above?
Maybe my situation is different. It is: Secure multi-boot laptop with openSUSE 15.2, 15.3, Tumbleweed and Windows Booting 15.3 gives error, caused by wrong certificate. I used Tumbleweed for
At which point? BIOS cannot load shim, shim cannot load grub, grub cannot load kernel, some errors after kernel is loaded and started (although I am not sure what would display these errors during boot)?
the above procedure.
Did you verify that certificates are the same? I do not know. But if you have a problem with 15.3 you should use whatever is delivered with and for 15.3.
Booting 15.2 succeeds also. Entering both certificates using "mokutil --import" gives that they are already present.
Who are "they"? But educated guess is that you are booting using openSUSE shim which embeds openSUSE certificate which is the reason mokutil says this certificate is already present.
Booting MokManager.efi and choosing Enroll from disk gives
I never said to choose "enroll from disk" so you must have been following some other procedure.
all kinds of things to choose from; in fact they are folders. I tried all, but afterwards I am still unable to boot 15.3. When I list available certificates I only see one.
What am I doing wrong?
It is difficult to understand what you are doing. Anyway, this is out of place on this list. Post your question to support list and provide 1. output of efibootmgr -v 2. mokutil --list-enrolled 3. full script of "mokutil --import" including full invocation and all messages. 4. Description at which point during boot you get an error and screenshot/photo of this error (upload to https://susepaste.org/). Even better would be a photo of each boot step starting from the very first screen until you get this error.