And I just got the update (2011 → 2023) offered by fwupdmgr refresh & fwupdmgr get-updates for the 3rd party Microsoft Key:
Description:
This updates the 3rd Party UEFI Signature Database (the "db") to the latest release from Microsoft. It also adds the latest OptionROM UEFI Signature Database update.
And efi-readvar -v db | grep "UEFI CA" seems to hint that the keys got updated successfully:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
C=US, O=Microsoft Corporation, CN=Microsoft UEFI CA 2023
C=US, O=Microsoft Corporation, CN=Microsoft Option ROM UEFI CA 2023