Obtaining Linux distributor secure boot certificates

You can fetch certificates from Linux® distributors.

About this task

Should you need to configure an LPARs with certificates of your choice, for example, using a new certificate after a Linux distributor has revoked their previous certificate, you must fetch the corresponding certificates from the distributor:

Red Hat, Red Hat Secure Boot (signing key 2), at https://access.redhat.com/security/team/key
SUSE, SUSE Secure Boot Signing Key, at https://www.suse.com/support/security/keys
Canonical, file sipl.x509, at http://us.ports.ubuntu.com/ubuntu-ports/dists/jammy/main/signed/linux-s390x/current/signed.tar.gz. Replace jammy with the first part of the Ubuntu distribution code name. For example for Ubuntu 22.04 = jammy, because the code name is Jammy Jellyfish.

Procedure

Verify the validity of the certificate.
You can use openSSL tools to do this.
Upload the certificate to the HMC.
Assign it to the target LPAR.