Craig Felix - 2018-11-22

After refind-install, the dynamic enrollment of the MOK required for refind_x64.efi (renamed to grubx64.efi) in Secure Boot mode always fails. The error message is "Only DER encoded certificate (.cer/der/crt) is supported". This error happens no matter which .cer or .der file is selected from the list produced from the /keys directory. The refind boot then fails and UEFI moves on to the next item in the boot order list.

What got the refind boot to work was a suggestion I found in an Ubuntu forum that indicated a manual registration using mokutil got past this error for a user trying to chain boot Fedora from Ubuntu.
Once I was back in Ubuntu from non-refind grubx64 boot:
1> ran mokutil --import path-to-refind-keys/refind_local.cer
2> provided a password(twice) for enrollment
3> rebooted
4> again got MOK Management prompt, but now had an option to enroll the waiting key
5> provided the password previously entered (#2)
6> refind menu now works

I don't know why the enrollment would not work without the manual import step. I'm also don't have the expertise to know how global the original problem might be or how this "fix" might work in other circumstances. If I just "got lucky" and need to be educated on potential pitfalls, I would appreciate constructive criticism. This is my first UEFI adventure.

TLDR:
The following is just background information that may help others understand how I ended up at the result above, should that be useful.
I'm working on a dual-boot (win10/Ubuntu 18.04 LTS) HP-250 G6 laptop, single HD, no SSD. Win 10 was pre-installed by the OEM. Ubuntu was installed from Alternate ISO with FDE (/boot unencrypted). The OEM boot configuration would not (to my knowledge) present a choice of OS boot without F9 intervention during boot. Since I had previous experience with a dual boot BIOS based laptop that booted Win 10 by default off the hard drive and Ubuntu /boot installed on a USB drive, I just selected the boot OS by either inserting the USB drive or leaving it out and configuring the BIOS to boot first from the USB drive. Not too sophisticated, but functional. All the USB installation schemes I found in the Ubuntu forums were oriented to installing the whole OS on USB and my attempts to adjust those procedures to keep the encrypted OS on the hard drive with the unencrypted boot partition on the USB were not productive. So I was resigned to putting a boot manager on the hard drive, but when I looked at refind, I saw that it claimed to work from both hard drives and USB drives. So trying to use refind to boot an OS from a USB is how I ended up at the point of failing to enroll the MOK I needed for refind to work. What I tried/verified before the mokutil import:

Installed refind from the ppa for Ubuntu
Prepared USB as gpt device with 4g EFI system partition formatted with fat32 file system with boot and esp flags on
Ran "sudo refind-install --usedefault /dev/sdb1 --shim /distribution-path/shimx64.efi --localkeys" for USB
Renamed refind_x64.efi to grubx64.efi
Used sbverify to validate /etc/refind.d/.crt keys with various .efi files
Booted Secure boot disabled to verify refind worked correctly from USB
Uninstalled refind from USB and moved it to ESP using refind-install without --usedefault option
Booted Secure boot disabled to verify refind worked correctly from ESP
Booted Secure boot enabled to verify refind still failed to dynamically enroll refind_local.cer
Uninstalled refind from ESP and put it back on USB using refind-install as first described
Secure boot still failed to dynamically enroll MOK