diff --git a/SOURCES/centossecureboot201.crt b/SOURCES/centossecureboot201.crt
new file mode 100644
index 0000000..f9d9675
--- /dev/null
+++ b/SOURCES/centossecureboot201.crt
@@ -0,0 +1,84 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            93:c2:04:d8:bd:77:6b:11
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=CentOS Secure Boot CA 2/emailAddress=security@centos.org
+        Validity
+            Not Before: Jun  9 10:04:20 2020 GMT
+            Not After : Jan 18 10:04:20 2038 GMT
+        Subject: CN=CentOS Secure Boot Signing 201/emailAddress=security@centos.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:9e:ef:fe:76:1c:9f:9b:3e:f2:e4:c5:29:bd:19:
+                    32:01:59:f3:e6:99:fa:eb:b5:f8:94:0c:95:3a:65:
+                    5e:b1:72:d0:50:3e:70:64:8a:1a:d1:f6:4d:af:6d:
+                    57:ee:40:71:40:09:dd:30:0c:81:a1:8b:26:63:12:
+                    07:bf:e1:d1:45:9f:9b:09:a6:57:98:9e:ef:97:e9:
+                    bd:68:38:ea:aa:63:92:2e:0d:2f:8e:fb:be:88:40:
+                    9b:59:e3:bc:b7:6f:e3:bb:6b:1e:6e:9e:ee:57:b8:
+                    28:c6:d5:d6:bf:47:a6:e9:38:a9:8f:08:73:98:49:
+                    a8:58:d2:62:73:f1:1e:44:d4:88:3d:f9:aa:43:e2:
+                    72:2e:d7:43:3e:1d:b6:65:f6:d1:2e:ef:31:cb:9f:
+                    5e:e3:d4:ea:3c:23:9a:07:af:f9:4a:ee:43:9a:75:
+                    06:ed:9a:54:2c:ed:5b:ca:85:a5:10:16:cd:30:64:
+                    ea:d5:27:7e:23:f6:fc:ec:69:a9:43:2f:78:73:6b:
+                    33:78:8b:f8:54:db:3f:ce:95:a4:5a:04:9a:15:49:
+                    98:cd:34:7c:c7:8c:a9:8a:32:82:ae:c0:d6:34:93:
+                    e7:d2:54:82:45:ee:eb:54:9a:96:d4:da:4b:24:f8:
+                    09:56:d8:cd:7f:ec:7b:f3:bd:db:9b:8c:b6:18:87:
+                    fa:07
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Digital Signature
+            X509v3 Extended Key Usage: critical
+                Code Signing
+            X509v3 Subject Key Identifier: 
+                5D:4B:64:F2:FA:63:1E:5E:5F:DB:AA:DC:14:67:C6:6C:99:21:7A:22
+            X509v3 Authority Key Identifier: 
+                keyid:70:00:7F:99:20:9C:12:6B:E1:47:74:EA:EC:7B:6D:96:31:F3:4D:CA
+
+    Signature Algorithm: sha256WithRSAEncryption
+         39:4b:b5:cc:37:3f:cd:db:84:0f:63:7c:c4:e4:53:fb:5e:fd:
+         db:12:19:23:6f:0a:50:14:fd:4f:7c:f9:87:3d:f9:6d:5b:af:
+         07:a5:94:34:1b:84:07:f4:f1:a0:de:cc:73:87:99:31:c3:93:
+         66:c0:bc:f2:0f:b2:69:65:8e:da:b9:1a:8e:ae:38:56:f3:7c:
+         5a:8d:29:0d:3d:ad:84:e7:86:31:a2:8e:2a:a8:f8:f8:f7:87:
+         32:65:5d:81:47:53:b8:40:c5:1b:a7:46:1f:b0:60:a7:b4:97:
+         89:51:26:3c:de:46:b9:14:d5:a0:7d:99:cc:a7:7e:ed:89:18:
+         02:ce:e6:07:45:49:e2:04:7d:5b:03:65:ec:e6:c3:86:0d:82:
+         31:24:45:51:ec:15:ad:31:83:a8:1c:6e:52:4d:b8:0f:5d:0b:
+         e4:7b:51:49:39:46:8a:0b:fd:0c:46:af:b4:19:65:0f:12:f1:
+         fc:ee:fd:6b:4f:df:9a:73:7c:e0:c8:3d:c3:d5:b5:ab:4a:86:
+         36:97:e8:89:fb:af:f4:f1:c2:05:5d:17:fb:b6:df:a5:0e:45:
+         89:db:89:99:93:ce:f0:4e:e9:9c:f4:4a:03:b0:6e:be:a2:69:
+         ab:b1:f3:3b:ed:c7:97:f4:0e:0a:53:27:5a:7e:70:9a:35:ea:
+         7a:76:d1:bc
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnagAwIBAgIJAJPCBNi9d2sRMA0GCSqGSIb3DQEBCwUAMEYxIDAeBgNV
+BAMMF0NlbnRPUyBTZWN1cmUgQm9vdCBDQSAyMSIwIAYJKoZIhvcNAQkBFhNzZWN1
+cml0eUBjZW50b3Mub3JnMB4XDTIwMDYwOTEwMDQyMFoXDTM4MDExODEwMDQyMFow
+TTEnMCUGA1UEAwweQ2VudE9TIFNlY3VyZSBCb290IFNpZ25pbmcgMjAxMSIwIAYJ
+KoZIhvcNAQkBFhNzZWN1cml0eUBjZW50b3Mub3JnMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAnu/+dhyfmz7y5MUpvRkyAVnz5pn667X4lAyVOmVesXLQ
+UD5wZIoa0fZNr21X7kBxQAndMAyBoYsmYxIHv+HRRZ+bCaZXmJ7vl+m9aDjqqmOS
+Lg0vjvu+iECbWeO8t2/ju2sebp7uV7goxtXWv0em6TipjwhzmEmoWNJic/EeRNSI
+PfmqQ+JyLtdDPh22ZfbRLu8xy59e49TqPCOaB6/5Su5DmnUG7ZpULO1byoWlEBbN
+MGTq1Sd+I/b87GmpQy94c2szeIv4VNs/zpWkWgSaFUmYzTR8x4ypijKCrsDWNJPn
+0lSCRe7rVJqW1NpLJPgJVtjNf+x7873bm4y2GIf6BwIDAQABo3gwdjAMBgNVHRMB
+Af8EAjAAMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzAd
+BgNVHQ4EFgQUXUtk8vpjHl5f26rcFGfGbJkheiIwHwYDVR0jBBgwFoAUcAB/mSCc
+EmvhR3Tq7HttljHzTcowDQYJKoZIhvcNAQELBQADggEBADlLtcw3P83bhA9jfMTk
+U/te/dsSGSNvClAU/U98+Yc9+W1brwellDQbhAf08aDezHOHmTHDk2bAvPIPsmll
+jtq5Go6uOFbzfFqNKQ09rYTnhjGijiqo+Pj3hzJlXYFHU7hAxRunRh+wYKe0l4lR
+JjzeRrkU1aB9mcynfu2JGALO5gdFSeIEfVsDZezmw4YNgjEkRVHsFa0xg6gcblJN
+uA9dC+R7UUk5RooL/QxGr7QZZQ8S8fzu/WtP35pzfODIPcPVtatKhjaX6In7r/Tx
+wgVdF/u236UORYnbiZmTzvBO6Zz0SgOwbr6iaaux8zvtx5f0DgpTJ1p+cJo16np2
+0bw=
+-----END CERTIFICATE-----
diff --git a/SOURCES/centossecurebootca2.der b/SOURCES/centossecurebootca2.der
new file mode 100644
index 0000000..42bdfcf
Binary files /dev/null and b/SOURCES/centossecurebootca2.der differ
diff --git a/SPECS/kernel-plus.spec b/SPECS/kernel-plus.spec
index d592d6e..63131b2 100644
--- a/SPECS/kernel-plus.spec
+++ b/SPECS/kernel-plus.spec
@@ -43,10 +43,10 @@
 # define buildid .local
 
 %define rpmversion 4.18.0
-%define pkgrelease 193.13.2.el8_2
+%define pkgrelease 193.14.2.el8_2
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 193.13.2%{?dist}
+%define specrelease 193.14.2%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -416,7 +416,7 @@ BuildRequires: asciidoc
 
 Source0: linux-%{rpmversion}-%{pkgrelease}.tar.xz
 
-Source11: x509.genkey
+Source9: x509.genkey
 
 # Name of the packaged file containing signing key
 %ifarch ppc64le
@@ -428,24 +428,41 @@ Source11: x509.genkey
 
 %if %{?released_kernel}
 
-Source12: centos-ca-secureboot.der 
+#Source10: redhatsecurebootca5.cer
+Source10: centossecurebootca2.der
+#Source11: redhatsecurebootca3.cer
+Source11: centos-ca-secureboot.der
+#Source12: redhatsecureboot501.cer
+Source12: centossecureboot201.crt
+#Source13: redhatsecureboot301.cer
 Source13: centossecureboot001.crt
 
-%define secureboot_ca %{SOURCE12}
+%define secureboot_ca_0 %{SOURCE10}
+%define secureboot_ca_1 %{SOURCE11}
 %ifarch x86_64 aarch64
-%define secureboot_key %{SOURCE13}
-%define pesign_name centossecureboot001
+%define secureboot_key_0 %{SOURCE12}
+%define pesign_name_0 centossecureboot201
+%define secureboot_key_1 %{SOURCE13}
+%define pesign_name_1 centossecureboot001
 %endif
 
 # released_kernel
 %else
 
-Source12: centos-ca-secureboot.der
+#Source11: redhatsecurebootca3.cer
+Source11: centos-ca-secureboot.der
+#Source12: redhatsecureboot501.cer
+Source12: centossecureboot201.crt
+#Source13: redhatsecureboot301.cer
 Source13: centossecureboot001.crt
+Source14: secureboot_s390.cer
 
-%define secureboot_ca %{SOURCE12}
-%define secureboot_key %{SOURCE13}
-%define pesign_name centossecureboot001
+%define secureboot_ca_0 %{SOURCE11}
+%define secureboot_ca_1 %{SOURCE12}
+%define secureboot_key_0 %{SOURCE13}
+%define pesign_name_0 redhatsecureboot401
+%define secureboot_key_1 %{SOURCE14}
+%define pesign_name_1 redhatsecureboot003
 
 # released_kernel
 %endif
@@ -1115,6 +1132,9 @@ ApplyOptionalPatch()
 }
 
 %setup -q -n %{name}-%{rpmversion}-%{pkgrelease} -c
+
+cp -v %{SOURCE9000} linux-%{rpmversion}-%{pkgrelease}/certs/rhel.pem
+
 mv linux-%{rpmversion}-%{pkgrelease} linux-%{KVERREL}
 
 cd linux-%{KVERREL}
@@ -1272,7 +1292,7 @@ BuildKernel() {
     cp configs/$Config .config
 
     %if %{signkernel}%{signmodules}
-    cp %{SOURCE11} certs/.
+    cp %{SOURCE9} certs/.
     %endif
 
     Arch=`head -1 .config | cut -b 3-`
@@ -1338,11 +1358,13 @@ BuildKernel() {
     fi
 
     %ifarch x86_64 aarch64
-    %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name}
+    %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
+    %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
+    rm vmlinuz.tmp
     %endif
     %ifarch s390x ppc64le
     if [ -x /usr/bin/rpm-sign ]; then
-	rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed
+	rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed
     elif [ $DoModules -eq 1 ]; then
 	chmod +x scripts/sign-file
 	./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed
@@ -1738,11 +1760,17 @@ BuildKernel() {
 
     # CentOS UEFI Secure Boot CA cert, which can be used to authenticate the kernel
     mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
-    install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+    %ifarch x86_64 aarch64
+        install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
+        install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
+        ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+    %else
+        install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+    %endif
     %ifarch s390x ppc64le
     if [ $DoModules -eq 1 ]; then
 	if [ -x /usr/bin/rpm-sign ]; then
-	    install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
+	    install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
 	else
 	    install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
 	    openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
@@ -2508,12 +2536,7 @@ fi
 /lib/modules/%{KVERREL}%{?3:+%{3}}/updates\
 /lib/modules/%{KVERREL}%{?3:+%{3}}/weak-updates\
 /lib/modules/%{KVERREL}%{?3:+%{3}}/bls.conf\
-%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca.cer\
-%ifarch s390x ppc64le\
-%if 0%{!?4:1}\
-%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/%{signing_key_filename} \
-%endif\
-%endif\
+%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}\
 %if %{1}\
 /lib/modules/%{KVERREL}%{?3:+%{3}}/vdso\
 /etc/ld.so.conf.d/%{name}-%{KVERREL}%{?3:+%{3}}.conf\
@@ -2567,7 +2590,7 @@ fi
 #
 #
 %changelog
-* Tue Jul 21 2020 Akemi Yagi <toracat@centos.org> [4.18.0-193.13.2.el8_2.centos.plus]
+* Wed Jul 29 2020 Akemi Yagi <toracat@centos.org> [4.18.0-193.14.2.el8_2.centos.plus]
 - Apply debranding changes
 - Modify config file for x86_64 with extra features turned on including some network adapters,
   some SCSI adapters, ReiserFS, TOMOYO
@@ -2578,8 +2601,27 @@ fi
 - Added a triggerin scriptlet to rebuild the initramfs image
   when the system microcode package is updated [bug#17562]
 
-* Mon Jul 13 2020 Bruno Meneguele <bmeneg@redhat.com> [4.18.0-193.13.2.el8_2]
-- Rebuild to get kernel image properly signed (Bruno Meneguele)
+* Sun Jul 19 2020 Bruno Meneguele <bmeneg@redhat.com> [4.18.0-193.14.2.el8_2]
+- [kernel] Move to dual-signing to split signing keys up better (pjones) [1837433 1837434] {CVE-2020-10713}
+- [crypto] pefile: Tolerate other pefile signatures after first (Lenny Szubowicz) [1837433 1837434] {CVE-2020-10713}
+- [acpi] ACPI: configfs: Disallow loading ACPI tables when locked down (Lenny Szubowicz) [1852968 1852969] {CVE-2020-15780}
+- [firmware] efi: Restrict efivar_ssdt_load when the kernel is locked down (Lenny Szubowicz) [1852948 1852949] {CVE-2019-20908}
+
+* Mon Jul 13 2020 Bruno Meneguele <bmeneg@redhat.com> [4.18.0-193.14.1.el8_2]
+- [md] dm mpath: add DM device name to Failing/Reinstating path log messages (Mike Snitzer) [1852050 1822975]
+- [md] dm mpath: enhance queue_if_no_path debugging (Mike Snitzer) [1852050 1822975]
+- [md] dm mpath: restrict queue_if_no_path state machine (Mike Snitzer) [1852050 1822975]
+- [md] dm mpath: simplify __must_push_back (Mike Snitzer) [1852050 1822975]
+- [md] dm: use DMDEBUG macros now that they use pr_debug variants (Mike Snitzer) [1852050 1822975]
+- [include] dm: use dynamic debug instead of compile-time config option (Mike Snitzer) [1852050 1822975]
+- [md] dm mpath: switch paths in dm_blk_ioctl() code path (Mike Snitzer) [1852050 1822975]
+- [md] dm multipath: use updated MPATHF_QUEUE_IO on mapping for bio-based mpath (Mike Snitzer) [1852050 1822975]
+- [md] dm: bump version of core and various targets (Mike Snitzer) [1852050 1822975]
+- [md] dm mpath: Add timeout mechanism for queue_if_no_path (Mike Snitzer) [1852050 1822975]
+- [md] dm mpath: use true_false for bool variable (Mike Snitzer) [1852050 1822975]
+- [md] dm mpath: remove harmful bio-based optimization (Mike Snitzer) [1852050 1822975]
+- [scsi] scsi: libiscsi: fall back to sendmsg for slab pages (Maurizio Lombardi) [1852048 1825775]
+- [s390] s390/mm: fix panic in gup_fast on large pud (Philipp Rudo) [1853336 1816980]
 
 * Tue Jul 07 2020 Bruno Meneguele <bmeneg@redhat.com> [4.18.0-193.13.1.el8_2]
 - [x86] x86/efi: Allocate e820 buffer before calling efi_exit_boot_service (Lenny Szubowicz) [1846180 1824005]