How to Install and Use Your Standard Kernel-Mode Code Signing Certificate

To learn more about how code signing your code/drivers can benefit you and your company, see DigiCert Certificates for Kernel-Mode Code Signing. For EV Code Signing kernel-mode instructions, see Signing Kernel-Mode Drivers with Your EV Code Signing Certificate.

The Standard Kernel-Mode Code Signing Certificate signing process consists of four main steps. You may need to complete all four steps or one or two.

  1. Preparing the Standard Code Signing Certificate

  2. Downloading the Code Signing Cross-Certificate

  3. Using Your Standard Kernel-Mode Code Signing Certificate

  4. Deciding the Location for Your Standard Code Signing Certificate

Microsoft Support

Windows 10

On April 1, 2015, Microsoft announced that beginning with the Windows 10 release, all "new" Windows 10 kernel-mode drivers are required to be submitted to the Windows Hardware Developer Center Dashboard portal (Dev Portal) to be digitally signed by Microsoft. However, because of technical and ecosystem readiness issues, Windows Code Integrity could not enforce the requirement and it remained only a policy statement.

Windows 10 Version 1607

Starting with "new" installations of Windows 10, version 1607, the Operating System now enforces the previously outlined driver signing rules, and will not load "new" kernel mode drivers which the Dev Portal has not signed.

Also, all kernel-mode drives submitted to the Hardware Dev Center Dashboard must be signed with an EV Code Signing Certificate before the HDCD can sign them. See Driver Signing changes in Windows 10, version 1607.

The Operating System driver signing rules do not apply to systems that were upgraded from an earlier version of Windows (e.g., 8.1) to Windows 10, version 1607; these systems are not affected by this requirement change.

SHA-1 Code Signing Certificates

Microsoft recommends using the SHA-256 certificate/digest algorithm/timestamp for all applications. To install your drive package on Windows 10, 8.1, 8, and 7, your driver package can have a single SHA1 signature.

For Windows 10, you'll need to submit new Windows 10 kernel mode driver for digital signing on the Windows Hardware Developer Center Dashboard portal. Note that kernel and user mode drives must be signed with a valid EV Code Signing certificate.

By default, DigiCert Code Signing Certificates are SHA-256. If you need a SHA-1 Code Signing Certificate, you can re-key your certificate from inside your DigiCert account.

 

Preparing the Standard Code Signing Certificate

To sign drivers with your Standard Code Signing Certificate, you should have selected Microsoft Kernel-Mode as the platform when you purchased your certificate. If you did not select Microsoft Kernel Mode, you need to reissue your certificate and select Microsoft-Kernel Mode as the platform.

Reissue Your Code Signing Certificate

  1. In your CertCentral account, in the left main menu, click Certificate > Orders.

  2. On the Manage Your Code Signing – Order # page, under Reissue Actions, click Re-Key Your Certificate link.

  3. On the Orders page, click the order number link for the Code Signing certificate you want to reissue.

  4. On the Order details page, in the Certificate Actions dropdown, select Reissue Certificate.

  5. Add Your CSR

    Upload or paste your CSR in the Add Your CSR box.

    The Sun Java Platform is the only platform that requires you to submit a CSR with your request; for all other platforms, submitting a CSR is optional.

  6. Signature Hash

    In the dropdown, select a signature hash for the certificate: SHA-256 or SHA-1.

  7. Server Platform

    Select Microsoft Kernel-Mode Code.

  8. Reason for Reissue

    Specify the reason for the certificate reissue.

  9. Click Request Reissue.

  10. If an approval for CS certificate reissue is required, the CS verified contact for the organization is sent an email informing them that they need to approve the certificate reissue request. Once we receive their approval, we'll reissue your Code Signing certificate.

  11. We will send a copy of the reissued CS certificate via email.

    The subject line of the email is Reissue Your DigiCert Code Signing Certificate (Order #). The email contains a link that lets you reissue and install your Code Signing Certificate.

    You can also download a copy of the reissued certificate from your CertCentral account on the CS certificate's Order details page.

Installing Your Kernel-Mode Code Signing Certificate

After you purchase a standard code signing certificate, DigiCert validates your information and sends you an email that contains a link to install your kernel-mode certificate.

  1. On the computer you want to install the certificate to, open the installation link from your DigiCert email (subject line: Reissue Your DigiCert Code Signing Certificate (Order #)) in Internet Explorer or Safari*.

    When you open the link, the certificate is installed to the current user's personal certificate store for Windows and can be used by the WDK tools for signing drivers.

    Browser Note*: Currently, only Microsoft Internet Explorer and Apple Safari support CSR generation needed for code signing certificate installation. If company policy requires the use of Firefox, you can use Firefox ESR or a portable copy of Firefox. For more information, see our knowledge base article Keygen support to be dropped with Firefox 69.

  2. Next, download the DigiCert Code Signing Cross-Certificate.

 

Downloading the Code Signing Cross-Certificate

Before you can use Signtool to sign applications, you need to download the DigiCert Code Signing Cross-Certificate on the computer where you installed your Code Signing Certificate. You will need to specify this certificate in Signtool.

Click here to download the DigiCert Code Signing Cross-Certificate.

 

Using Your Standard Kernel-Mode Code Signing Certificate

For general instructions on using your Standard Kernel-Mode Code Signing Certificate, we recommend that you download and read the Microsoft Kernel-Mode Code Signing Walkthrough document. This document contains in-depth instructions for getting started with kernel-mode code signing, as well as using a kernel-mode certificate to sign drivers and other applications.

Prepare to Sign Code by Installing the Windows SDK

In order to use SignTool.exe to sign your application, you need to either install Microsoft Visual Studio 2005 (or later), or on the machine where you will be signing code, download or install one of the following versions of Microsoft Windows SDK:

If you have the Windows SDK 6.0 or lower on Windows Vista, you can use the SignTool Digital Signature Wizard GUI interface. All new versions of the Windows SDK (7 and newer) require you to use the command line instructions below.

Internet Explorer for Windows

If you installed your code signing certificate in Internet Explorer on a Windows machine, the certificate will be accessible in the Windows Certificate Store.

If you have multiple Code Signing Certificates in your Windows Certificate Store, the commands in this instruction will sign your application with "the best" one, which may not be the correct one. You can use the next signtool command to sign your program with a specific certificate or use some of the other options in the SignTool documentation.

If you only have one Code Signing Certificate on your machine, do one of the following options:

Option 1: How to Sign Code with a SHA-256 Certificate/Digest Algorithm/Timestamp

When using SHA-256 for signing, make sure to use the latest version of SignTool (6.3 or later) to avoid errors.

  1. In the Windows command prompt, enter the command below; modify the section in red to match your filename(s).

    signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /a /tr http://timestamp.digicert.com /td sha256 /fd sha256 "c:\path\to\FileToSign.cat"
  2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

    c:\Code>signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /a /tr http://timestamp.digicert.com /td sha256 /fd sha256 "c:\path\to\FileToSign.cat"
    Done Adding Additional Store
    Successfully signed and timestamped: FileToSign.cat

Option 2: How to Sign Code with a SHA-1 Certificate/Digest Algorithm/Timestamp

  1. In the Windows command prompt, enter the command below; modify the section in red to match your filename(s).

    signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /a /t http://timestamp.digicert.com "c:\path\to\FileToSign.cat"
  2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

    c:\Code>signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /a /t http://timestamp.digicert.com "c:\path\to\FileToSign.cat"
    Done Adding Additional Store
    Successfully signed and timestamped: FileToSign.cat

Firefox (or Another Browser) or Operating System

If you installed your Code Signing Certificate in Firefox (or another browser) or another operating system such as Mac OS X, do the following:

  1. Export the certificate as a PKCS#12 (pfx or p12) file.

  2. Once you have the code signing certificate saved as a PKCS#12 on your machine, do one of the following options from a Windows operating system:

    1. Option 1: How to Sign Code with a SHA-256 Certificate/Digest Algorithm/Timestamp

      When using the SHA-256 timestamp or /fd sha256 please make sure the latest version of signtool (6.3 or newer) is used.

      1. Enter the following command, modify the section in red to match your filename(s):

        signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\FileToSign.cat"
      2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

        c:\Code>signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\FileToSign.cat"
    2. Option 2: How to Sign Code with a SHA-1 Certificate/Digest Algorithm/Timestamp

      1. Enter the following command, modify the section in red to match your filename(s):

        signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /t http://timestamp.digicert.com /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\FileToSign.cat"
      2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

        c:\Code>signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /t http://timestamp.digicert.com /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\FileToSign.cat"
 

Deciding the Location for Your Standard Code Signing Certificate

If you used Internet Explorer or Safari to download your kernel-mode code signing certificate, it is automatically imported into the MMC (or Keychain on Mac computers). You can then sign drivers and applications using the certificate in Signtool.

However, certificates in the MMC or Keychain are exportable and thus could be exported and used by anyone who gains access to the computer. To protect your code signing certificate, you can export the kernel-mode certificate to a secure location and then remove the certificate from your computer. See Copy Driver Signing Certificates to Other Windows Workstations.

To remove the certificate, click Start > Run and type certmgr.msc. Click Personal > Certificates then select the code signing certificate and press delete. You can then sign applications and drivers using the exported .pfx file.