I successfully installed Debian Stretch on my ASUS G750JZ laptop with Secure Boot turned off. Now I'm interested in enabling it, so I created my own PK, KEK and db keys and uploaded them into my BIOS. Now I have my own PK key and my own KEK and db keys as well as Microsoft and ASUS ones to dual boot Windows 10.
The problem is that when I'm trying to load any bootloader (GRUB, rEFIND, HashTool) signed by my db key, it doesn't boot and a message "Invalid signature detected" is displayed instead. However sbverify of course claims that these bootloaders are signed correctly, efi-readvar also finds my own keys, Windows still boot successfully even on my own PK key.
I had read many tutorials about setting Secure Boot custom keys, mostly from Gentoo and Arch but it seems to be distro-independent. Do someone else also have such a problem? Could it be a bug in my BIOS?
.crt
file rather than a.cer
/.der
file. (My ASUS motherboard will accept anything, but only the right file type actually works.)