- used to sign Ubuntu boot loaders and kernels.
-
-- fedora-ca.cer & fedora-ca.crt -- Fedora's public key, used to sign Fedora
- 18's version of shim and Fedora 18's kernels.
+ matched to the one used to sign Ubuntu boot loaders and kernels.
+
+- fedora-ca.cer & fedora-ca.crt -- Fedora's public key, matched to the one
+ used used to sign Fedora 18's version of shim and Fedora 18's kernels.
+
+- microsoft-kekca-public.der -- Microsoft's key exchange key (KEK), which
+ is present on most UEFI systems with Secure Boot. The purpose of
+ Microsoft's KEK is to enable Microsoft tools to update Secure Boot
+ variables. There is no reason to add it to your MOK list.
+
+- microsoft-pca-public.der -- A Microsoft public key, matched to the one
+ used to sign Microsoft's own boot loader. You might include this key in
+ your MOK list if you replace the keys that came with your computer with
+ your own key but still want to boot Windows. There's no reason to add it
+ to your MOK list if your computer came this key pre-installed and you did
+ not replace the default keys.
+
+- microsoft-uefica-public.der -- A Microsoft public key, matched to the one
+ Microsoft uses to sign third-party applications and drivers. If you
+ remove your default keys, adding this one to your MOK list will enable
+ you to launch third-party boot loaders and other tools signed by
+ Microsoft. There's no reason to add it to your MOK list if your computer
+ came this key pre-installed and you did not replace the default keys.