Kernel Mode Certificate Ordering Instructions

Kernel-Mode Code-Signing Certificate Ordering, Installation and Driver Signing

Option to Reissue for an Authenticode Certificate

If you have purchased a driver-signing certificate and would like to use the same certificate for signing applications with Authenticode, unfortunately your current driver-signing certificate won't work for that, but fortunately you can reissue your certificate to get an Authenticode code-signing certificate (and don't worry your Kernel Mode Driver Signing certificate will still be valid) by doing the following:

  1. Login to your account, click the '+' to expand your certificate options and choose Re-Key your certificate, and choose 'Microsoft Authenticode' for the platform.

  2. For step by step instructions see Signing Microsoft Applications with Signtool under the heading 'Option to Reissue for an Authenticode Certificate'.

Driver Signing Certificate Configuration Process

How to Prepare your Computer to Install and Use a Driver Signing Certificate

  1. After you have ordered your driver-signing certificate and it has been fully validated and issued by the DigiCert staff, you will be sent an email containing a link to install your Code Signing Driver Release Certificate. It is recommended that you click on this link using Internet Explorer on the computer you want the Code Signing certificate installed so that it will be installed to the Current User's Personal Certificate Store for Windows which will be used by the WDK tools for signing the driver.

    Note: If you click the link mentioned in this step in a web browser other than Internet Explorer (e.g. Firefox, or Opera) the certificate will be installed at a browser level rather than the OS level, so the certificate would need to be exported from the browser and imported into the MMC.

    Note: As a security best practice, it is advised after completing the release driver signing to export the kernel signing certificate to a secure location like a smart card, then remove the kernel mode code signing certificate entirely from your computer: (Start > Run > Type 'certmgr.msc' and press Enter > Personal > Certificates > select your certificate and hit the delete key).

  2. Next download the DigiCert Code Signing Cross-Certificate. You will then need to expand this zip file.

    Start type certmgr.msc and press Enter.
    Right-click Intermediate Certification Authorities and choose All Tasks > Import.
    Open the file 'DigiCert High Assurance EV Root CA.crt' and continue through the Wizard.
    Choose 'Automatically select the certificate store based on the type of certificate' then click 'Next' and 'Finish'.

Install the WDK and Prepare Your Catalog Files for Signing Using Microsoft Tools

  1. Download and install the Windows Driver Kit onto your computer.

  2. Add the installation path of the WDK to your computer's path:
    Start > Control Panel > System Advanced System Settings > (advanced tab) > Environment Variables.
    Under 'System variables' scroll down to path, click edit and add the following to the end of the line and click Ok: (Previous\Path\Contents\);C:\Path\To\Windows_Driver_Kit_Installation\

  3. Next Create a driver catalog file using either Inf2Cat, Signability, or MakeCat from the Windows Driver Kit tools or Winqual Submission tools. Basic documentation for these tools is shown below:

    Inf2Cat and Stampinf

    Inf2Cat is not included in WDK tools, installed with Winqual Submission Tools. In Windows Server 2008 inf2cat is included. Run the following command to update version information for your driver:
    stampinf -f yourdriver.inf -d [02/5/2012] -v [1.0.1.0000.1] Command-Line Options:
    -f      Path to .inf source(s).
    -d     Optional string to include release date of this version.
             For the computer's current time use -d *]
    -v      Option string to include version number in the driver directive
              To use the current time use -v *
             (e.g. stampinf -f yourdriver.inf -d * -v *)


    Using Inf2cat.exe: Inf2cat.exe /driver:src\path\to\inf_file(s)\ /os:7_X64, 7_X86 Command-Line Options:
    /driver     [directory containing the INF files you want converted to Catalog files]
                   These INF files must have a CatalogFile directive.
    /os          [specifies which Windows Version(s) the catalog file will be created for]

                   Note: the INF must contain a compatible INF for the /os selected.

    Signability

    Using Signability.exe (note this doesn't support Windows versions later than Windows Vista):
    This isn't too different from the above instructions with inf2cat.exe:
    Signability.exe /auto /cat /driver: C:\path\to\inf\file(s)\ /os:512 Command-Line Options:
    /auto       Unattended (no user interaction required)
    /cat         Create cat files from INF file(s).
    /os          Supported Windows OS Versions are:
                   8=XP 32 bit
                   16=XP 64-bit
                   32=Server 2003 32-bit
                   128=Server 2003 (64-bit)
                   256=Vista 32-bit
                   512=Vista 64-bit

    MakeCat

    For the MakeCat utility to make a catalog for drivers that aren't installed with an INF file, please see the Microsoft MakeCat documentation page.

Signing Your Driver Files Using SignTool

Obtain Your Subject Name then Run the SignTool Command

  1. You will need to get your certificate's subject name by either of the following methods:

    First, you can get your certificate's subject name using the DigiCert Utility:
    In this image, the subject name is the company that the code-signing certificate is issued to i.e. DigiCert, Inc.

    Code Signing Certificate Subject Name

    Second, you can get the Subject Name from the Current User's MMC Certificate Snap-In:
    Start > type certmgr.msc and press Enter.
    Expand Personal > Certificate and double-click your certificate.
    Then go to the Details Tab, and scroll down to Subject, and select this name, and copy it to the clipboard for the next step.

  2. Next you can release-sign the catalog file running the following signtool command from an elevated command prompt on a single line:

    Note: At the very least you will need to edit the section below in red. signtool.exe sign /v /ac "DigiCert High Assurance EV Root CA.crt" /s My /n "Common Name, Inc." /t http://timestamp.digicert.com "T:\SMX11MX.sys" Command-Line Options:
    /ac        Cross-signing certificate authority
    /v          Verbose mode shows if commands ran successfully or displays errors/warnings.
    /s          Which cert store to sign from (My = current user)
    /t          Timestamp server (this should always be http://timestamp.digicert.com)
    "T:\SMX11MX.sys"     The name of catalog file you're producing
    /n          Certificate's Subject Name (i.e. Full legal organization name cert issued to, e.g. 'Your Company, Inc'.
                 To get your Certificate's Subject Name: Start > Run > 'certmgr.msc' [Enter]
                 Personal > Certificate and double-click on your certificate.
                 Go to the Details Tab, and scroll down to Subject, and select this name, and copy it to the clipboard.

    3. After running the above command your driver files should be signed with your new certificate.

Verifying Your Driver

You can then verify your certificate's signature with this command:
signtool verify /v /kp "C:\SMX11MX.sys"

Guarantee

DigiCert SSL Certificate Authentication - Home

All trademarks displayed on this web site are the exclusive property of the respective holders.