Not like that, you can't. Firstly, that's not a KEK cert - the KEK cert is "Microsoft Corporation KEK CA 2023". And secondly, mokutil manages the MOK database, not the firmware database. MOK keys control what shim will trust, but it's the firmware keys that control whether or not shim will boot in the first place.

Users should absolutely be able to install the db update by hand if they choose to, but it's late and I don't have the commands to hand. I'll write another post on this soon.

[dead]