A PowerShell script for reading and exporting UEFI Secure Boot certificates and signatures directly from firmware. This tool retrieves Platform Key (PK), Key Exchange Key (KEK), signature database (DB), and forbidden signatures database (DBX) entries, providing detailed information about each certificate and optional export functionality.
Secure Boot is a critical security feature in UEFI firmware that ensures only trusted software loads during the boot process. Managing and auditing these certificates is essential for maintaining system security and compliance.
Get-UEFICertificate simplifies this process by:
- Reading certificates directly from UEFI firmware variables
- Parsing EFI Signature List (ESL) format data
- Displaying certificate details in a structured, readable format
- Exporting certificates to PEM-encoded files for further analysis or backup
- Retrieving forbidden signatures (DBX) including both certificates and hashes
- Comprehensive Certificate Retrieval - Access PK, KEK, DB, and DBX certificates from UEFI firmware
- Forbidden Signatures Database (DBX) - Retrieve blocked certificates and hashes from the DBX database
- Flexible Output - View certificate details on screen or export to files
- Hash Support - Optionally include SHA256 and SHA1 hash entries from the signature databases
- PEM Format Export - Save certificates in industry-standard base64-encoded format
- Hash File Export - Save hash entries to text files (one hash per line) when using
-OutFilewith-IncludeHashes - Detailed Certificate Information - View subject, issuer, thumbprint, validity dates, and serial numbers
- Secure Boot Status Check - Automatically verifies Secure Boot availability and status
- Operating System: Windows 10/11 or Windows Server 2016+
- PowerShell: Version 5.1 or later
- Privileges: Administrator rights required
- UEFI: System must support UEFI with Secure Boot
# Install the script from the PowerShell Gallery
Install-Script -Name Get-UEFICertificate -Scope CurrentUser# Download the script directly from GitHub
Invoke-WebRequest -Uri "https://github.com/richardhicks/uefi/raw/main/Get-UEFICertificate.ps1" -OutFile "Get-UEFICertificate.ps1"git clone https://github.com/richardhicks/uefi.git
cd uefiRetrieve all Secure Boot certificates:
.\Get-UEFICertificate.ps1| Parameter | Type | Description |
|---|---|---|
-CertificateType |
String[] | Specifies certificate type(s) to retrieve. Valid values: All, PK, KEK, DB, DBX. Default: All. Note: All includes PK, KEK, and DB — DBX must be explicitly specified. |
-OutFile |
Switch | Enables saving certificates to files. When combined with -IncludeHashes, hashes are written to text files (dbhashes.txt, dbxhashes.txt). |
-OutPath |
String | Folder path for exported certificates. Default: current working directory. The directory is created automatically if it doesn't exist. |
-IncludeHashes |
Switch | Includes SHA256/SHA1 hash entries in output |
Retrieve all certificates:
.\Get-UEFICertificate.ps1Get only the Platform Key (PK):
.\Get-UEFICertificate.ps1 -CertificateType PKGet PK and KEK certificates:
.\Get-UEFICertificate.ps1 -CertificateType PK, KEKInclude hash entries in output:
.\Get-UEFICertificate.ps1 -IncludeHashesExport all certificates to temp directory:
.\Get-UEFICertificate.ps1 -OutFileExport certificates to a specific folder:
.\Get-UEFICertificate.ps1 -OutFile -OutPath "C:\SecureBoot\Certificates"Export only DB certificates to a custom location:
.\Get-UEFICertificate.ps1 -CertificateType DB -OutFile -OutPath "C:\Backup\UEFI"Retrieve DBX (forbidden signatures) certificates:
.\Get-UEFICertificate.ps1 -CertificateType DBXRetrieve all DBX entries including hashes:
.\Get-UEFICertificate.ps1 -CertificateType DBX -IncludeHashesExport DBX entries with hashes to a specific folder:
.\Get-UEFICertificate.ps1 -CertificateType DBX -IncludeHashes -OutFile -OutPath "C:\SecureBoot"When conducting security audits or compliance assessments, you need to document the Secure Boot certificate chain on managed systems.
# Export all certificates for documentation
.\Get-UEFICertificate.ps1 -OutFile -OutPath "C:\Audit\SecureBoot"
# Include hashes for complete audit trail
.\Get-UEFICertificate.ps1 -IncludeHashes | Export-Csv -Path "C:\Audit\SecureBootCerts.csv" -NoTypeInformationMonitor certificate validity to prevent unexpected Secure Boot failures due to expired certificates.
# Check certificate expiration dates
$certs = .\Get-UEFICertificate.ps1
$certs | Where-Object { $_.Expires -lt (Get-Date).AddDays(90) } |
Select-Object Type, Subject, Expires |
Format-Table -AutoSizeBefore updating BIOS/UEFI firmware or making Secure Boot configuration changes, backup existing certificates.
# Create timestamped backup
$backupPath = "C:\Backup\UEFI_$(Get-Date -Format 'yyyyMMdd_HHmmss')"
.\Get-UEFICertificate.ps1 -OutFile -OutPath $backupPathVerify certificate consistency across multiple systems in your environment.
# Get certificate thumbprints for comparison
$certs = .\Get-UEFICertificate.ps1
$certs | Select-Object Type, Subject, Thumbprint | Format-Table -AutoSizeWhen diagnosing Secure Boot problems, examine the certificate database for missing or invalid entries.
# Display detailed certificate information
.\Get-UEFICertificate.ps1 -Verbose
# Check for parsing errors
$certs = .\Get-UEFICertificate.ps1
$certs | Where-Object { $_.ParseError -ne $null } |
Select-Object Type, Subject, ParseErrorIdentify certificates added by device manufacturers or third-party software.
# List all DB certificates with issuer information
.\Get-UEFICertificate.ps1 -CertificateType DB |
Select-Object Subject, Issuer, Issued, Expires |
Format-Table -AutoSizeWhen preparing to enroll custom Secure Boot keys, first document existing certificates.
# Document existing keys before enrollment
.\Get-UEFICertificate.ps1 |
Select-Object Type, Subject, Thumbprint, Issued, Expires |
Export-Csv -Path ".\PreEnrollment_Certificates.csv" -NoTypeInformationThe script returns PSCustomObject instances with the following properties:
| Property | Description |
|---|---|
Type |
Certificate type (PK, KEK, DB, or DBX) |
Description |
Human-readable description |
Index |
Certificate index within its type |
SignatureType |
UEFI signature type GUID |
OwnerGuid |
Certificate owner GUID |
CertificateSize |
Size in bytes |
Subject |
Certificate subject |
Issuer |
Certificate issuer |
Thumbprint |
Certificate thumbprint/hash |
Issued |
Certificate issue date |
Expires |
Certificate expiration date |
SerialNumber |
Certificate serial number |
ParseError |
Error message if parsing failed |
RawData |
Raw certificate bytes |
Each object also includes a SaveToFile() method for individual certificate export:
$certs = .\Get-UEFICertificate.ps1
$certs[0].SaveToFile("C:\Temp\certificate.cer")- Administrator privileges required - The script must be run as Administrator to access UEFI variables
- Secure Boot must be available - The system must support UEFI Secure Boot
- Read-only operation - This script only reads certificates; it does not modify Secure Boot configuration
- Hash entries excluded by default - Use
-IncludeHashesto display SHA256/SHA1 hash entries - DBX not included in 'All' - The forbidden signatures database (DBX) must be explicitly requested using
-CertificateType DBX - Hash file output - When using
-OutFilewith-IncludeHashes, hash entries are saved to text files (dbhashes.txt,dbxhashes.txt) with one hash per line
Contributions are welcome! Please feel free to submit issues or pull requests on the GitHub repository.
This project is licensed under the MIT License - see the LICENSE file for details.
Richard Hicks
- Website: https://www.richardhicks.com/
- GitHub: @richardhicks
- X: @richardhicks
Copyright (C) 2026 Richard M. Hicks Consulting, Inc. All Rights Reserved.