diff --git a/SLES-UEFI-CA-Certificate.crt b/SLES-UEFI-CA-Certificate.crt
new file mode 100644
index 0000000..56f3fce
--- /dev/null
+++ b/SLES-UEFI-CA-Certificate.crt
@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIG5TCCBM2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
+RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
+MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
+IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
+QHN1c2UuZGUwHhcNMTMwMTIyMTQyMDA4WhcNMzQxMjE4MTQyMDA4WjCBpjEtMCsG
+A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD
+VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4
+IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B
+CQEWDWJ1aWxkQHN1c2UuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQCrLYL1Uq02iIgro6x6PFESFDtUKU7xO/bJanI7+AQAroowFuLBI67BBSmoq3hR
+QnH3OtQusGV8y+wvjaaunppvWMfjViZ88zssj5fKXrDr5U6BB566DJgHreWaEs2d
+FD13XpKRr3Nk9zdjAJu5YsR7hI1NMXsnj1X8w71OY9HLjv+Kq9917PJwZQjOGnAJ
+BQTi0ogHuLiwDqMKgg5rrYD4cJDPzoLEmEXnwHDIOSiWdD0bCzhN6GQDKldIxQ2O
+d/mjUgzB+dWslIb+bUKaoJgDtyPV20W74t7Y2uwoaEVr9QkPoM3tOPttf4qsWo8B
+J1TgeoF01ZeKcvSyvOXCKbfAN9sqURK2ZUTNThqZ//VPQmJP6fByrMJsbvTOSsQt
+HI+fFPrg1DC2KT8SzuGtWDRscHZ7MofvUKEQolVgkGwp8u68t/RAAwDpUdqIajzi
+yfp9qSDD+9uMeyiLa4rrAr2ATGohNBa0qha95slgvSepXbYKuHG5b4fWMsG7z4Uc
+dqE2vK8cQma1nsAeQBaq2/89294TOHEzKyspesfCBCnKQ3q+l9xelYRdvapj1CH/
+cfUZf2/6X3VHN1P88RfRrPubswmrcOCEBT41upa2WKRDJ1GS6YhL6LJnrZSTjfe+
+KsfNVS1D+KqSKiK0hfk6YK6O88mMGeAKQs3Ap8WthBLf0QIDAQABo4IBGjCCARYw
+DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPU1Az5OFOQJLHPxaEt7f6LF+dV8w
+gdMGA1UdIwSByzCByIAUPU1Az5OFOQJLHPxaEt7f6LF+dV+hgaykgakwgaYxLTAr
+BgNVBAMMJFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkG
+A1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51
+eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcN
+AQkBFg1idWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B
+AQsFAAOCAgEANtdMT47CjQtuERYa5jfygIO5F+urB4fl8pYcQQ/hTPE0KtAnAtrS
+1strtMrVQ1t7Wu3fVbWYA6MZMXXkcwyyNbaWfj6roaSC6G5ZqCJ69oSyzaCbyaTI
+eOgzIIiVGOAj7tiM6T88Xp9qx4Xa3F6UQHF6xfwBT3nNKerGKOG01p7mBfBewwO5
+Hxp7OAZmennUxV1uuT5/AsArxw9lMlawXhIAS7tRYHW+32D4tjHPDycldOw1hBjt
+z5JdehBiTmxhJ6onl0HSpsX84IMSbkeFIxLfxIF0TNas1pGnSGmh8FcV+ck9js3P
+yamJcNkgCstIwo3QZ2D5YdtQjOusyEuGjCIpDIQx36OMzeOo0SayOdzb2dSmcrHv
+4DIkXDUELyIzu79A2R2KR7OQaGL6HGAVy6+yXHHygTbbUrb6ck2+aOG8913ChABc
+ZAiSFFRKVZzzj7FeIxZNA8GBUbhd20eQB2fUXDypeAnTG6P3dtTs84xNb1qGm3VC
+OAKjkWYQijLWmAOs9Q4NM/AXOeDTgXxA7iX7kWHRNeDbACirp7zM2ZOIP5ObIS6z
+yMqcG9DecSVbXiH3MJDTBoB1idQTTyreqpM/l6N8xNNVjEiLJGMEM1SeYq6S1lFV
+a+GcdOaLYkh7ya3I42l/tDOqH2OLIf7FEtocnc1xU6jTz8au1tZxec8=
+-----END CERTIFICATE-----
diff --git a/grub2.changes b/grub2.changes
index f8e3bf9..2ee24d6 100644
--- a/grub2.changes
+++ b/grub2.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu Mar 28 02:57:47 UTC 2013 - mchang@suse.com
+
+- package Secure Boot CA file as /usr/lib64/efi/grub.der which
+  could be used to verify signed image from build server
+- add openSUSE-UEFI-CA-Certificate.crt, openSUSE Secure Boot CA
+- add SLES-UEFI-CA-Certificate.crt, SUSE Linux Enterprise Secure
+  Boot CA
+
 -------------------------------------------------------------------
 Mon Mar 25 17:37:59 UTC 2013 - dvaleev@suse.com
 
diff --git a/grub2.spec b/grub2.spec
index 13a6525..e1314ac 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -48,6 +48,7 @@ BuildRequires:  xz-devel
 %ifarch x86_64
 %if 0%{?suse_version} >= 1230 || 0%{?suse_version} == 1110
 BuildRequires:  pesign-obs-integration
+BuildRequires:  openssl >= 0.9.8
 %endif
 %endif
 
@@ -102,6 +103,8 @@ Source6:        grub2-once
 Source7:        20_memtest86+
 Source8:        Makefile.util.am
 Source9:        Makefile.core.am
+Source10:       openSUSE-UEFI-CA-Certificate.crt
+Source11:       SLES-UEFI-CA-Certificate.crt
 Source1000:     PATCH_POLICY
 Patch0:         grub2-correct-font-path.patch
 Patch1:         rename-grub-info-file-to-grub2.patch
@@ -313,6 +316,33 @@ GRUB_MODULES="${CD_MODULES} ${FS_MODULES} ${PXE_MODULES} mdraid09 mdraid1x lvm"
 #./grub-mkimage -O %{grubefiarch} -o grub.efi -d grub-core part_gpt hfsplus fat \
 #        ext2 btrfs normal chain boot configfile linux appleldr minicmd \
 #        loadbios reboot halt search font gfxterm
+
+%ifarch x86_64
+%if 0%{?suse_version} >= 1230 || 0%{?suse_version} == 1110
+if test -e %{_sourcedir}/_projectcert.crt ; then
+    prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
+    prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
+    opensusesubject=$(openssl x509 -in %{SOURCE10} -noout -subject_hash)
+    slessubject=$(openssl x509 -in %{SOURCE11} -noout -subject_hash)
+    if test "$prjissuer" = "$opensusesubject" ; then
+        cert=%{SOURCE10}
+    fi
+    if test "$prjissuer" = "$slessubject" ; then
+        cert=%{SOURCE11}
+    fi
+    if test "$prjsubject" = "$prjissuer" ; then
+        cert=%{_sourcedir}/_projectcert.crt
+    fi
+fi
+if test -z "$cert" ; then
+    echo "cannot identify project, assuming openSUSE signing"
+    cert=%{SOURCE10}
+fi
+
+openssl x509 -in $cert -outform DER -out grub.der
+%endif
+%endif
+
 cd ..
 %endif
 
@@ -343,11 +373,6 @@ make %{?_smp_mflags}
 
 %install
 %ifarch %{efi}
-%ifarch x86_64
-%if 0%{?suse_version} >= 1230 || 0%{?suse_version} == 1110
-export BRP_PESIGN_FILES="%{_libdir}/%{name}/%{grubefiarch}/grub.efi"
-%endif
-%endif
 cd build-efi
 make DESTDIR=$RPM_BUILD_ROOT install
 
@@ -363,6 +388,13 @@ install -m 644 grub.efi $RPM_BUILD_ROOT%{_libdir}/%{name}/%{grubefiarch}/.
 install -d $RPM_BUILD_ROOT%{sysefidir}
 ln -sf ../../../%{_libdir}/%{name}/%{grubefiarch}/grub.efi $RPM_BUILD_ROOT%{sysefidir}/grub.efi
 
+%ifarch x86_64
+%if 0%{?suse_version} >= 1230 || 0%{?suse_version} == 1110
+export BRP_PESIGN_FILES="%{_libdir}/%{name}/%{grubefiarch}/grub.efi"
+install -m 444 grub.der $RPM_BUILD_ROOT%{sysefidir}/
+%endif
+%endif
+
 cd ..
 %endif
 
@@ -593,6 +625,12 @@ fi
 %{_libdir}/%{name}/%{grubefiarch}/modinfo.sh
 %dir %{sysefidir}
 %{sysefidir}/grub.efi
+
+%ifarch x86_64
+%if 0%{?suse_version} >= 1230 || 0%{?suse_version} == 1110
+%{sysefidir}/grub.der
+%endif
+%endif
 %endif
 
 %changelog
diff --git a/openSUSE-UEFI-CA-Certificate.crt b/openSUSE-UEFI-CA-Certificate.crt
new file mode 100644
index 0000000..7a4c704
--- /dev/null
+++ b/openSUSE-UEFI-CA-Certificate.crt
@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGdDCCBFygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
+blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
+bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
+EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNDUzMzBaFw0zNDEyMjQxNDUz
+MzBaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE
+BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv
+amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuqmSgrdlO0B96sOK5mJj1k4OetzmP6l8
+YKdy+HdzN/3bS97vfqIIqb0YCgzmJROSLsXv6WQReuAtKbftgla6R/dOvKU/CxCN
+z0uCbzuM+gN5Q7pSWifnm81QNDowFpxZlJBFvIP92zh5yWNEGqVzMN0jDjOFxLfh
+O1sx6W8YBOYzScWrlTKysH6uK79gWenwvh3nmkx+68PV08azmizG6As4IAPDqtd/
+w92iLTzjLVGp32wFDhLuDleojjvJgnOGngKa8oRcLlvfh07wKO0urjt8/3HKxcUf
+RmbSyaLdfP8lOt/mFPpfN4kev9wjqdbIhLIZs6iKbu+hR40QfAR46V8vnPoeIYeM
+ibsl1mvr0U7O6w7kTQuzW7JmJkCYf7n4HoPBgxTzgjKlsBGY0I+dTvZXozsKuTKx
+ir/w6WWcdkIWoXJh00Nb9eWqFQr0exG0hwa1o0ESXjv7aJHwg39B6m8MZVppdpmg
+i0G8pOKtHQZ6OR87YeSUHJ400ocIfYMOAybuB/5rHfC58BvCcjaZwHKTkHlyx28i
+EXgFyzGMqbWlgmI5RJ8UzaM6rTaieIRSsyGbYrDa89BFMhGmY8xMIeeT8191bLbH
+CpX7CMW9npoEqslHL67FMI3LXC5fgYKoPwUnj/TlT0gkjVobEXmXZB6sCDQ6BFTg
+4dpPIFEjnxsCAwEAAaOB9DCB8TAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSZ
+DSa38E3ZzmTn0Y79aHtKXeKGpTCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79
+aHtKXeKGpaGBh6SBhDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3Qg
+Q0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9w
+ZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9y
+Z4IBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFsmHlxiAGKu
+Qyx1qb6l7bEWgXAePQfVaaCEH4Mn+oq80kJ67S7s6We8e5QJOgYznk5mDk+PTUC/
+phkP3aJRqZAf5UDrQkOHobpk7FFBxZKjZfULPls3H9+Hichw/XJ2/xJwG+Ja6pgD
+dNO2UaKOjZHCiyZ4ehO7syle/EgQALVwKH4cVq6zIh4xUH4r9WvfdR5vkhhTgM/0
+nzzoBnFRnCUpcsLPj10246wVuLQcliZBeKjiV4xqrMe6cXX8crHvZqqJPZ2jMTGD
+eVIpVES12ZpMT7SbQbcDR1XgjqrL3U9vfcabdqLU60000ALvnDFNN0Sm7xhB+d3c
+sDIyJMwSfIb9jWApsB/En5uRCM++ruqjyFiqTCORo9gzaocw6gut6WYs2TOrZ2NO
+Tq4JNAFfCL/z0p8jdz1dJZmqpgFAlltKNNDWV6KlBPUAdxDEbIiuGoYweB+Zxed3
+BKdlrKGcH0ewPmzt4vVLCl2yFoODxjVtndXieDt/BWIYltMjqYU1qrrOdISHdeAG
+A24L/uxiU4Ej2bKKWNYtvrGMNLMUWBTx5afHMQnK9MD8Z6cpjccNaR0Pe9ZCBRGI
+xyUitlfnU604q1GfYdymiq4mUvSEgy3vbbsVBvcAKElN+hWpAeZbiWc/KcBWKMtp
+4aQ0yoLWDFkQNGU0rGazsu3hpOWta6mL
+-----END CERTIFICATE-----