Sure, this is how I solved it (a more detailed version of this can be found at
http://www.rodsbooks.com/refind/secureboot.html#shim just don't run the efibootmgr step)
You will need the following
1. Porteus-3.1 (I used the LXQt iso just cause)
2. rEFInd boot loader binary zip file from
http://www.rodsbooks.com/refind/getting.html (make sure to download the binary zip file you only need a file from it)
3. the shim boot loader (
http://www.codon.org.uk/~mjg59/shim-signed/ I downloaded the file shim-signed-0.2.tgz)
4. openssl
5. sbsign (this is a tool that I found easiest to use on my Ubuntu desktop since you can get it from the package manager)
6. A computer of VM that has can boot UEFI
7. A USB stick (I am using one that is 2GB in size)
8. gdisk util (so you can make a GPT partition on the USB drive)
First you will need to use gdisk to create a GPT boot table to the USB stick.
The create a parition that spans the whole USB stick.
format this partition to FAT32.
Copy the contents of the porteus ISO to the USB stick
Rename the file /EFI/BOOT/bootx64.efi to /EFI/BOOT/grubx86.efi
Copy the file shim.efi and mokmanager.efi from the shim tgz file to the /EFI/BOOT folder on the USB stick
Rename the shim.efi file to bootx64.efi
Copy the file refind.cer from the refind zip file to the /EFI/BOOT folder on the USB stick
Create a key to sign the linux kernel
So the following two lines will create the key we are going to use to sign the kernel
openssl req -new -x509 -newkey rsa:2048 -keyout refind_local.key -out refind_local.crt -nodes -days 3650 -subj "/CN=Porteus/"
openssl x509 -in refind_local.crt -out refind_local.cer -outform DER
Now sign the kernel
sbsign --key refind_local.key --cert refind_local.crt --output vmlinuz-signed vmlinuz
Now copy the file refind_local.cer to the /EFI/BOOT folder on the USB stick and copy the file vmlinuz-signed to the /boot/syslinux folder on the USB stick
Make sure to go into the refind.conf file and point the boot option to the vmlinuz-signed kernel
Boot you UEFI system with the USB stick and you should see a boot screen that has the option Enroll key from disk select this
Navigate to the /EFI/BOOT folder on the USB stick that you booted the computer with
First select the refind.cer file and answer 0 and yes to register the file with shim
The select the refind_local.cer file and answer 0 and yes to register the file with shim
Now you should be able to reboot the machine and shim will kick off the rEFInd boot loader which you should then be able to kick of the Linux boot.
Seems to be working for me.
This seems to not require me to registry the key i signed the Linux kernel with the UEFI firmware on the computer. Which is what I wanted since I didn't want to have to registry it on all the computers I support.
Hope this helps, if this doesn't make sense also let me know.