+<li>Follow the installation instructions for rEFInd on the <a href="installing.html">Installing rEFInd</a> page; however, give rEFInd the filename <tt>grubx64.efi</tt> and register <tt>shim.efi</tt> with the EFI by using <tt>efibootmgr</tt> in Linux or <tt>bcdedit</tt> in Windows. This is most cleanly done by following the manual instructions; however, you can use the <tt>install.sh</tt> script if you subsequently rename the files and register <tt>shim.efi</tt> with <tt>efibootmgr</tt>. Be sure that rEFInd (as <tt>grubx64.efi</tt>), <tt>shim.efi</tt>, and <tt>MokManager.efi</tt> all reside in the same directory.</li>
+
+<li>Copy the <tt>refind.cer</tt> file from the rEFInd package to your ESP, ideally to a location with few other files. (The rEFInd installation directory should work fine.)</li>
+
+<li>Reboot. With any luck, you'll see a simple text-mode user interface with a label of <tt>Shim UEFI key management</tt>. This is the MokManager program, which shim launched when rEFInd failed verification because its key is not yet enrolled.</li>
+
+<li>Press your down arrow key and press Enter to select <tt>Enroll key from disk</tt>. The screen will clear and prompt you to select a key, as shown here:</li>
+
+ <br /><IMG SRC="MokManager1.png" ALIGN="CENTER" WIDTH="676"
+ HEIGHT="186" ALT="MokManager's user interface is crude but effective."
+ BORDER=2> <br />
+
+<li>Each of the lines with a long awkward string represents a disk partition. Select one and you'll see a list of files. Continue selecting subdirectories until you find the <tt>refind.cer</tt> file you copied to the ESP earlier.</li>
+
+<li>Select <tt>refind.cer</tt>. You can type <tt class="userinput">1</tt> to view the certificate's details if you like, or skip that and type <tt class="userinput">0</tt> to enroll the key.</li>
+
+<li>Back out of any directories you entered and return to the MokManager main menu.</li>
+
+<li>Select <tt>Continue boot</tt> at the main menu.</li>
+
+</ol>
+
+<p>At this point the computer may boot into its default OS, reboot, or perhaps even hang. When you reboot it, though, rEFInd should start up in Secure Boot mode. (You can verify this by selecting the <i>About rEFInd</i> tool in the main menu. Check the <i>Platform</i> item in the resulting screen; it should verify that Secure Boot is active.) You should now be able to launch any boot loader signed with a key recognized by the firmware or by shim (including any MOKs you've enrolled). If you want to manage keys in the future, rEFInd displays a new icon in the second (tools) row you can use to launch MokManager. (This icon appears by default if MokManager is installed, but if you edit <tt>showtools</tt> in <tt>refind.conf</tt>, you must be sure to include <tt>mok_tool</tt> as an option in order to gain access to it.)</p>
+
+<p>If you're using Ubuntu 12.10, you can't use its version of shim, but you can replace it with Garrett's shim. The problem is that Ubuntu's GRUB and kernel will then be signed by an unknown key. Unfortunately, I haven't found a suitable public key file on Ubuntu's distribution medium, so you may need to sign GRUB and/or your kernels with your own MOK. In principle, you should be able to use shim 0.2 or later from future distributions that include it; but you must be sure that whatever you use supports MokManager.</p>
+
+<a name="mok">
+<h2>Managing Your MOKs</h2>
+</a>
+
+<p>The preceding instructions provided the basics of getting rEFInd up and running, including using MokManager to enroll a MOK on your computer. If you need to sign binaries, though, you'll have to use additional tools. The OpenSSL package provides the cryptographic tools necessary, but actually signing EFI binaries requires additional software. Two packages for this are available: <tt>sbsigntool</tt> and <tt>pesign</tt>. Both are available in binary form from <a href="https://build.opensuse.org/project/show?project=home%3Ajejb1%3AUEFI">this OpenSUSE Build Service (OBS)</a> repository. The following procedure uses <tt>sbsigntool</tt>. To sign your own binaries, follow these steps:</p>
+
+<ol>
+