V9.14.000.2026.06.07

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

upgrades/secure-boot/ciss-sb-pki.cnf

@@ -9,6 +9,8 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
+# ToDo: Update to the latest version of the CISS PKI.
+
 # Keep the corresponding ROOT CA strict offline, offsite and air-gapped and maybe in a HSM or at least encrypted in a vault.
 #
 # The firmware does not check "whether KEK originates from PK in terms of certificate logic." It only checks whether the
@@ -87,7 +89,7 @@ clearance_max					          = 64
 serialNumber					          = QSCD Serial Number
 serialNumber_max				        = 64
 ############################### = 1234567890123456789012345678901234567890123456789012345678901234
-commonName_default				      = CISS Secure Boot Root CA 2025 RSA 4096
+commonName_default				      = CISS Secure Boot Root CA 2026 RSA 4096
 organizationName_default        = Centurion Intelligence Consulting Agency
 organizationalUnitName_default 	= CISO
 organizationIdentifier_default	= VATPT-307086887
@@ -104,7 +106,7 @@ subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid:always,issuer
 authorityInfoAccess		          = @ciss_sb_pki
 certificatePolicies		          = 2.5.29.32.0, @ciss_sb_policy
-nsComment                       = "CISS Secure Boot Root CA 2025 RSA 4096"
+nsComment                       = "CISS Secure Boot Root CA 2026 RSA 4096"
 
 [ v3_pk ]
 basicConstraints                = critical, CA:true, pathlen:0
@@ -147,6 +149,4 @@ CPS.0				                    = "https://policy.quantumsign.eu/"
 fullname                        = URI:https://crl.quantumign.eu/
 reasons                         = keyCompromise, CACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn, AACompromise
 
-
-
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf