diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der
new file mode 100644
index 0000000..44a2563
Binary files /dev/null and b/SOURCES/centos-ca-secureboot.der differ
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 5463a69..1c77c8e 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -280,7 +280,7 @@ Summary: The Linux kernel
 # problems with the newer kernel or lack certain things that make
 # integration in the distro harder than needed.
 #
-%define package_conflicts initscripts < 7.23, udev < 063-6, iptables < 1.3.2-1, ipw2200-firmware < 2.4, iwl4965-firmware < 228.57.2, selinux-policy-targeted < 3.13.1-201, squashfs-tools < 4.0, wireless-tools < 29-3, xfsprogs < 4.3.0, kmod < 20-9, kexec-tools < 2.0.14-3
+%define package_conflicts initscripts < 7.23, udev < 063-6, iptables < 1.3.2-1, ipw2200-firmware < 2.4, iwl4965-firmware < 228.57.2, selinux-policy-targeted < 3.13.1-201, squashfs-tools < 4.0, wireless-tools < 29-3, xfsprogs < 4.3.0, kmod < 20-9, kexec-tools < 2.0.14-3, shim-x64 < 12-2
 
 # We moved the drm include files into kernel-headers, make sure there's
 # a recent enough libdrm-devel on the system that doesn't have those.
@@ -395,13 +395,13 @@ Source10: sign-modules
 Source11: x509.genkey
 Source12: extra_certificates
 %if %{?released_kernel}
-Source13: centos.cer
-Source14: secureboot.cer
-%define pesign_name redhatsecureboot301
+Source13: centos-ca-secureboot.der
+Source14: centossecureboot001.crt
+%define  centossecureboot001
 %else
-Source13: centos.cer
-Source14: secureboot.cer
-%define pesign_name redhatsecureboot003
+Source13: centos-ca-secureboot.der
+Source14: centossecureboot001.crt
+%define  centossecureboot001
 %endif
 Source15: centos-ldup.x509
 Source16: centos-kpatch.x509
@@ -939,7 +939,7 @@ BuildKernel() {
     fi
 # EFI SecureBoot signing, x86_64-only
 %ifarch x86_64
-    %pesign -s -i $KernelImage -o $KernelImage.signed -a %{SOURCE13} -c %{SOURCE13}
+    %pesign -s -i $KernelImage -o $KernelImage.signed -a %{SOURCE13} -c %{SOURCE14} -n %{pesign_name}
     mv $KernelImage.signed $KernelImage
 %endif
     $CopyKernel $KernelImage $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer
@@ -1759,6 +1759,7 @@ fi
 %changelog
 * Tue Mar 12 2019 CentOS Sources <bugs@centos.org> - 3.10.0-957.10.1.el7
 - Apply debranding changes
+- Sign with new secureboot key
 
 * Thu Feb 07 2019 Jan Stancek <jstancek@redhat.com> [3.10.0-957.10.1.el7]
 - [fs] revert "[fs] nfs: Don't write back further requests if there is a pending write error" (Benjamin Coddington) [1672510 1656674]