2.2.3.2 Removing Keys for Secure Boot Using mokutil

On bare metal database servers and KVM hosts, you can remove keys associated with Secure Boot using the Machine Owner Keys (MOK) utility (mokutil).

You must run the mokutil command as the root user.

You can run mokutil --help to view additional details about the mokutil command.

WARNING:

Ensure that you do not alter or remove the Oracle-supplied keys and certificates included with the system. To identify an Oracle-supplied key, examine the corresponding certificate and look for Oracle (O=Oracle America Inc.) in the subject information. For example: 

# mokutil --list-enrolled
[key 1]
SHA1 Fingerprint: 5f:f4:35:5a:49:ec:8d:f1:56:d1:ee:9b:ac:f6:19:54:08:77:d3:59
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            21:b3:c1:01:19:dc:af:44:43:15:8b:0f:33:6b:18:be
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, 
            CN=Symantec Class 3 Extended Validation Code Signing CA - G2
        Validity
            Not Before: Jun 30 00:00:00 2020 GMT
            Not After : Jul  1 23:59:59 2021 GMT
        Subject: jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=2101822, 
            C=US/postalCode=94065, ST=California, L=Redwood City/street=500 Oracle Parkway, 
            O=Oracle America Inc., OU=Winqual, CN=Oracle America Inc.
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
...
  1. Identify the key that you want to remove by examining the output from the following command:
    # mokutil --list-enrolled
  2. Export the key certificates using the following command:
    # mokutil --export

    The command outputs a DER-formatted X509 certificate file for every enrolled key. Examine the file(s) and locate the certificate(s) you want to remove.

  3. Delete the certificate(s) associated with the key(s) that you want to remove.

    For example:

    # mokutil --delete my_certificate.der

    When prompted, specify a MOK management password. Ensure that you remember the password becuase it is required to complete MOK deletion after you reboot the system.

    Note:

    • If required, you can use the mokutil command to delete multiple certificates at once by providing a list of DER-formatted X509 certificate files. For example: 

      # mokutil --delete my_certificate.der my_certificate2.der my_certificate3.der

      If you delete multiple certificates, the keys are later identified in the MOK management interfaces as Key 0, Key 1, Key 2, and so on.

    • If you discover any issues with the certificate(s) you marked for deletion, you can revoke the deletion at any time before the keys are removed from the UEFI Secure Boot key database by running:

      # mokutil --revoke-delete
  4. Record details about the key and associated certificate for identification purposes in the following steps.

    Record the output from the following command:

    # mokutil --list-delete
  5. Reboot the system from the system console.

    On a physical server, you can view the system console by connecting to the Integrated Lights Out Manager (ILOM) subsystem and then running the following command from the ILOM prompt: 

    -> start -script /SP/console

    After connecting to the system console, you can reboot the system by logging in as the root user and running: 

    # shutdown -r now
  6. Observe the system console and press any key to perform MOK management when prompted.
  7. In the Perform MOK management screen, select the Delete MOK menu option.
  8. Select the View key 0 menu option and verify that the key details match the key that you want to delete.

    If you are deleting multiple keys, verify all of the key details using View key 1, View key 2, and so on.

  9. Delete the key(s).
    1. Return to the Delete MOK screen.
    2. Select the Continue option.
    3. Select Yes in the Delete the key(s)? dialog.
    4. When prompted, supply the MOK management password you specified earlier when deleting the key certificate(s).

    The key(s) are now removed from the UEFI Secure Boot key database.

  10. In the Perform MOK management screen, select the Reboot menu option.
  11. After the system reboots, confirm that the key is deleted by examining the output from the following command:
    # mokutil --list-enrolled

Parent topic: Managing Keys and Certificates Used with Secure Boot