Microsoft

Instructions for Installing and Using Kernel-Mode Certificates

 

EV Code Signing Certificates

After you purchase an EV code signing certificate, DigiCert validates your information and sends your token in the mail. To sign applications (such as drivers) with the token, you need to do the following:

  1. Download the token's client software through your DigiCert Management Console.

  2. Next, download the DigiCert Code Signing Cross-Certificate using the instructions below.

  3. On the computer where you installed the Cross-Certificate, you can now use your EV Code Signing Certificate to sign drivers. See Using Kernel Mode Code Signing Certificates.

 

Standard Code Signing Certificates

Standard Code Signing Certificate Requirements

To sign drivers with your Standard Code Signing Certificate, you must have selected Microsoft Kernel-Mode as the platform when you purchased the certificate. If you did not select Microsoft Kernel Mode, you need to reissue your certificate and select Microsoft-Kernel Mode as the platform.

Note:    The reissuing instructions do not apply to EV Code Signing Certificates. EV Code Signing Certificates support all platforms; you are not required to select a platform when ordering an EV Code Signing Certificate. See EV Code Signing Certificates.

  1. Log into your DigiCert account.

  2. On the My Orders tab, click the corresponding order number for your code signing certificate.

  3. Under Reissue Options, click Re-Key Your Certificate.

  4. For server platform, select Microsoft-Kernel Mode and then click Continue to Next Step.

  5. Click Submit Request.

  6. After submitting your request to re-key your code-signing certificate, DigiCert sends an email to the Certificate Requester to verify the request.

Installing Your Code Signing Certificate

After you purchase a standard code signing certificate, DigiCert validates your information and sends you an email that contains a link to install your kernel-mode certificate.

  1. On the computer to which you want to install the certificate, open the installation link in Internet Explorer, Chrome, or Safari*. When you open the link, the certificate is installed to the current user's personal certificate store for Windows and can be used by the WDK tools for signing drivers.

    *Browser Note:    Because the certificate needs to be installed at the Operating System (OS) level, rather than the browser level, we recommend that you open the link in Internet Explorer, Chrome, or Safari. If you open the link in another browser (like Firefox), the certificate will be installed at the browser level rather than the OS level. You will then have to export the certificate from the browser to use it.

  2. Next, download the DigiCert Code Signing Cross-Certificate using the instructions below

  3. On the computer where you installed your Code Signing Certificate and the Cross-Certificate, you can now use your Code Signing Certificate to sign drivers. See Using Kernel Mode Code Signing Certificates.

 

Downloading the Code Signing Cross-Certificate

Before you can use Signtool to sign applications, you need to install a copy of the DigiCert Code Signing Cross-Certificate on the computer where you will be signing applications. You will need to specify this certificate in Signtool.

Note:    For standard code signing certificates, you need to install the DigiCert Code Signing Cross-Certificate on the computer where you installed your code signing certificate.

Click here to download the DigiCert Code Signing Cross-Certificate.

 

Using Kernel-Mode Code Signing Certificates

Using Your Code Signing Certificate

For general instructions on using kernel-mode signing certificates, we recommend that you download and read the Microsoft Kernel-Mode Code Signing Walkthrough document. This document contains in-depth instructions for getting started with kernel-mode code signing, as well as using a kernel-mode certificate to sign drivers and other applications. Because you use Microsoft Signtool for signing applications, we also recommend that you contact Microsoft with any signing questions.

Deciding the Certificate Location

If you downloaded kernel-mode code signing certificate in Chrome, Internet Explorer, or Safari, it is automatically imported into the MMC (or Keychain on Mac computers). You can then sign drivers and applications using the certificate in Signtool.

However, certificates in the MMC or Keychain are exportable and thus could be exported and used by anyone who gains access to the computer. To protect your code signing certificate, you can export the kernel-mode certificate to a secure location and then remove the certificate from your computer. See Copy Driver Signing Certificates to Other Windows Workstations.

To remove the certificate, click Start > Run and type certmgr.msc. Click Personal > Certificates then select the certificate and press delete. You can then sign applications and drivers using the exported .pfx file.


Get code signing certificates for just $178/year

Buy Now