Installing a Kernel-Mode Code Signing Certificate

Instructions for Installing and Using Kernel-Mode Certificates

To sign drivers, you must have selected Microsoft Kernel-Mode Code as the platform when purchasing your certificate. If you did not select Microsoft Kernel-Mode Code, you can reissue your certificate by logging into your account, clicking + next to the certificate, and choosing Re-Key your Certificate. You can then select Microsoft Kernel-Mode Code as the platform.

Depending on whether you have an EV or non-EV Code Signing Certificate, read one of the following sections and then continue with the article.

EV Code Signing

After you purchase an EV code signing certificate DigiCert will validate your information and send your token in the mail. To sign applications with the token you will also need to download the token's client software through your DigiCert Management Console.

Next, download the Code Singing Cross-Certificate using the instructions below.

Non-EV Code Signing

After you purchase a non-EV code signing certificate, DigiCert will validate your information. After your information is validated, you will receive an email that contains a link to install your kernel-mode certificate.

Open the install link on the computer that you want to install the certificate to. The certificate will be installed to the current user's personal certificate store for Windows and will be used by the WDK tools for signing drivers.

Note: You should open the link in Chrome, Internet Explorer, or Safari. If you open the link in another browser (like Firefox), the certificate will be installed at the browser level rather than the OS level. You will then have to export the certificate from the browser to use it.

Next, download the Code Singing Cross-Certificate using the instructions below.

Downloading the Code Signing Cross-Certificate

You need a copy of the DigiCert Code Signing Cross-Certificate on the computer where you will be signing applications. You will need to specify this certificate in Signtool.

Click here to download the DigiCert Code Signing Cross-Certificate.

Using Kernel-Mode Code Signing Certificates

Deciding the Certificate Location

If you downloaded kernel-mode code signing certificate in Chrome, Internet Explorer, or Safari, it will automatically be imported into the MMC (or Keychain on Mac computers). You can then sign drivers and applications using the certificate in Signtool.

However, certificates in the MMC/Keychain are exportable and thus could be exported and used by anyone who gains access to the computer. To avoid this, you can export the kernel-mode certificate to a secure location, then remove the certificate from your computer. To remove the certificate, navigate to Start > Run and type certmgr.msc. Click Personal > Certificates then select the certificate and hit delete. You can then sign applications and drivers using the exported .pfx file.

Using the Certificate

For general instructions on using kernel-mode signing certificates, we highly recommend that you download and read the Microsoft Kernel-Mode Code Signing Walkthrough document. This document contains in-depth instructions for getting started with kernel-mode code signing, as well as using a kernel-mode certificate to sign drivers and other applications. Because you use Microsoft Signtool for signing applications, we also recommend that you contact Microsoft with any signing questions.