+<li>Boot the computer. This can be a challenge in and of itself. You may
+ need to use a Secure Boot–enabled Linux emergency disc,
+ temporarily disable Secure Boot, or do the work from Windows.</li>
+
+<li><a href="getting.html">Download rEFInd</a> in binary form (the binary
+ zip or CD-R image file). If you download the binary zip file, unzip it;
+ if you get the CD-R image file, burn it to a CD-R and mount it.</li>
+
+<li>Download Shim from <a
+ href="http://www.codon.org.uk/~mjg59/shim-signed/">Matthew J. Garrett's
+ download site</a> or from your distribution. (Don't use an early 0.1
+ version, though; as noted earlier, it's inadequate for use with
+ rEFInd.)</li>
+
+<p class="sidebar"><b>Tip:</b> If you're running Linux, you can save some effort by using the <tt>install.sh</tt> script with its <tt>--shim <tt class="variable">/path/to/shim.efi</tt></tt> option rather than installing manually, as in steps 4–6 of this procedure. If you've installed <tt>openssl</tt> and <tt>sbsign</tt>, using <tt>--localkeys</tt> will generate local signing keys and re-sign the rEFInd binaries with your own key, too. You can then use <tt>sbsign</tt> and the keys in <tt>/etc/refind.d/keys</tt> to sign your kernels or boot loaders.</p>
+
+<li>Copy the <tt>shim.efi</tt> and <tt>MokManager.efi</tt> binaries to the
+ directory you intend to use for rEFInd—for instance,
+ <tt>EFI/refind</tt> on the ESP.</li>
+
+<li>Follow the installation instructions for rEFInd on the <a
+ href="installing.html">Installing rEFInd</a> page; however, give rEFInd
+ the filename <tt>grubx64.efi</tt> and register <tt>shim.efi</tt> with
+ the EFI by using <tt>efibootmgr</tt> in Linux or <tt>bcdedit</tt> in
+ Windows. Be sure that rEFInd (as <tt>grubx64.efi</tt>),
+ <tt>shim.efi</tt>, and <tt>MokManager.efi</tt> all reside in the same
+ directory.</li>
+
+<li>Copy the <tt>refind.cer</tt> file from the rEFInd package to your ESP,
+ ideally to a location with few other files. (The rEFInd installation
+ directory should work fine.)</li>
+
+<li>Reboot. With any luck, you'll see a simple text-mode user interface
+ with a label of <tt>Shim UEFI key management</tt>. This is the
+ MokManager program, which Shim launched when rEFInd failed verification
+ because its key is not yet enrolled.</li>
+
+<li>Press your down arrow key and press Enter to select <tt>Enroll key from
+ disk</tt>. The screen will clear and prompt you to select a key, as
+ shown here:
+
+ <br /><img src="MokManager1.png" align="CENTER" width="676"
+ height="186" alt="MokManager's user interface is crude but effective."
+ border=2> <br />
+
+ This user interface was used in early versions of MokManager, but
+ somewhere between versions 0.4 and 0.7, the user interface received an
+ upgrade. If you've got a more recent version, it will look more like
+ this:
+
+ <br /><img src="MokManager2.png" align="CENTER" width="800"
+ height="345" alt="Recent versions of MokManager provide a somewhat more
+ user-friendly user interface." border=2> <br /> </li>
+
+<li>Each of the lines with a long awkward string represents a disk
+ partition. Select one and you'll see a list of files. Continue
+ selecting subdirectories until you find the <tt>refind.cer</tt> file
+ you copied to the ESP earlier. (Note that in the early user interface
+ the long lines can wrap and hide valid entries on the next line, so you
+ may need to select a disk whose entry is masked by another one!)</li>
+
+<li>Select <tt>refind.cer</tt>. You can type <tt class="userinput">1</tt>
+ to view the certificate's details if you like, or skip that and type
+ <tt class="userinput">0</tt> to enroll the key.</li>
+
+<li>Back out of any directories you entered and return to the MokManager
+ main menu.</li>
+
+<li>Select <tt>Continue boot</tt> at the main menu.</li>
+
+</ol>
+
+<p>At this point the computer may boot into its default OS, reboot, or perhaps even hang. When you reboot it, though, rEFInd should start up in Secure Boot mode. (You can verify this by selecting the <i>About rEFInd</i> tool in the main menu. Check the <i>Platform</i> item in the resulting screen; it should verify that Secure Boot is active.) You should now be able to launch any boot loader signed with a key recognized by the firmware or by Shim (including any MOKs you've enrolled). If you want to manage keys in the future, rEFInd displays a new icon in the second (tools) row you can use to launch MokManager. (This icon appears by default if MokManager is installed, but if you edit <tt>showtools</tt> in <tt>refind.conf</tt>, you must be sure to include <tt>mok_tool</tt> as an option in order to gain access to it.)</p>