(In reply to Gary Ching-Pang Lin from comment #23) > One possible solution would be to make mokutil read keys from kernel > keyring, so it can avoid enrolling the key built in kernel. Have to do some > research on the kernel keyring. The following command can be used to print the kernel embedded key: # keyctl list %:.builtin_trusted_keys 1 key in keyring: 73874993: ---lswrv 0 0 asymmetric: SUSE Linux Enterprise Secure Boot Signkey: 4ab0c697c91073276c27deff3c220fb007e1de61 The above fingerprint is from "X509v3 Subject Key Identifier" in x509 certificate: X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 4A:B0:C6:97:C9:10:73:27:6C:27:DE:FF:3C:22:0F:B0:07:E1:DE:61 Using openssl with sed command can extract Subject Key Identifier e.g. https://stackoverflow.com/questions/53896785/how-to-extract-subject-key-identifier-from-x509-certificate-through-openssl The above "Subject Key Identifier" can be used to compare with the result of "keyctl list", then mokutil can avoid the kernel embedded key.