Unified Kernel Image (UKI) was added to RHEL9.2 and Fedora/ARK recently (kernel-uki-virt package). The image is currently signed with the same SecureBoot certificate as our standard kernel (vmlinuz) and we'd like to change that. The main motivation for creating a new certificate for UKI is to make it possible to distinguish between standard vmlinuz and UKI in PCR measurements, namely PCR7. 

Currently, for Azure Confidential VMs we seal root volume key against PCR4+PCR7 and this is suboptimal as PCR4 changes with every UKI update. We'd like to switch to sealing against PCR7 only but in that case measurements for standard vmlinuz and for UKI must differ and this is not the case with the current signing scheme.

We need to introduce a new certificate for signing UKIs and export its public part in redhat-sb-certs to be able to switch to in in the kernel specfile. We also want to do the same change in Fedora/ARK.

(I may be missing some details on how new SB certs are added, hope the BZ is the right starting point)