Well in case of our kernel it's guaranteed as the CA cert is built into shim. The whole setup in obs is made so shim, grub and kernel match and work out of the box. So the case where the sign key chains back to our our CA cert can be optimized. So far we never imported the sign key itself either after all and relied on the CA only.