Microsoft

How to Install and Use Your Standard Kernel-Mode Code Signing Certificate

If you would like to learn more about how code signing your code/drivers can benefit you and your company, or if you have not purchased your DigiCert Kernel-Mode Code Signing Certificate, see DigiCert Certificates for Kernel-Mode Code Signing. For EV Code Signing kernel-mode instructions, see Signing Kernel-Mode Drivers with Your EV Code Signing Certificate.

The Standard Kernel-Mode Code Signing Certificate signing process consists of four main steps. You may need to complete all four steps or one or two.

  1. Preparing the Standard Code Signing Certificate

  2. Downloading the Code Signing Cross-Certificate

  3. Using Your Standard Kernel-Mode Code Signing Certificate

  4. Deciding the Location for Your Standard Code Signing Certificate

Microsoft Support

Windows 10

On April 1, 2015, Microsoft announced that beginning with the Windows 10 release, all "new" Windows 10 kernel-mode drivers are required to be submitted to the Windows Hardware Developer Center Dashboard portal (Dev Portal) to be digitally signed by Microsoft. However, because of technical and ecosystem readiness issues, Windows Code Integrity could not enforce the requirement and it remained only a policy statement.

Windows 10 Version 1607

Starting with "new" installations of Windows 10, version 1607, the Operating System now enforces the previously outlined driver signing rules, and will not load "new" kernel mode drivers which the Dev Portal has not signed.

Also, all kernel-mode drives submitted to the Hardware Dev Center Dashboard must be signed with an EV Code Signing Certificate before the HDCD can sign them. See Driver Signing changes in Windows 10, version 1607.

Note: The Operating System driver signing rules do not apply to systems that were upgraded from an earlier version of Windows (e.g., 8.1) to Windows 10, version 1607; these systems are not affected by this requirement change.

Buy Your EV Code Signing Certificate!

Buy Now Learn More

SHA-1 Code Signing Certificates

Microsoft plans to support SHA-1 Code Signing Certificates until Jan 1, 2020. Despite their continued support for SHA-1 CS Certificates, Microsoft recommends using the SHA-256 certificate/digest algorithm/timestamp for all applications.

Microsoft has not yet released a SHA-1 deprecation policy for drivers. Note that Windows 7 does not support SHA-256 signed drivers without an automatic update. Microsoft states, "To install on Windows 10, 8.1, 8, and 7, your driver package can have a single SHA1 signature... SHA1 deprecation does not apply to drivers." For more information, refer to the Windows Enforcement of Authenticode Code Signing and Timestamping page.

Note: By default, DigiCert Code Signing Certificates are SHA-256. If you need a SHA-1 Code Signing Certificate, you can re-key your certificate from inside your DigiCert account.

 

Preparing the Standard Code Signing Certificate

To sign drivers with your Standard Code Signing Certificate, you should have selected Microsoft Kernel-Mode as the platform when you purchased your certificate. If you did not select Microsoft Kernel Mode, you need to reissue your certificate and select Microsoft-Kernel Mode as the platform.

Reissuing Your Code Signing Certificate

  1. In your DigiCert account, select the My Orders tab, and then click the Order # for your Code Signing Certificate.

  2. On the Manage Your Code Signing – Order # page, under Reissue Actions, click Re-Key Your Certificate link.

  3. On the Reissue/Re-Key page, do the following, as needed:

    1. Kernel-Mode Code Signing Certificate

      In the Select Your Server Platform drop-down list, select Microsoft-Kernel Mode.

    2. (Optional) Get a SHA-1 Code Signing Certificate

      Click +Advanced Options and then uncheck Use a SHA-2 signature has algorithm.

  4. In the Reason for Reissue/Re-Key (Optional) box, specify the reason for the certificate reissue.

  5. Click Continue to Next Step.

  6. On the Reissue - Order # page, click Submit Request.

  7. The requestor of the reissued code signing certificate is sent an email with the subject line: Reissue Your DigiCert Code Signing Certificate (Order #).

    The email contains a link that lets you reissue and install your Code Signing Certificate.

Installing Your Kernel-Mode Code Signing Certificate

After you purchase a standard code signing certificate, DigiCert validates your information and sends you an email that contains a link to install your kernel-mode certificate.

  1. On the computer to which you want to install the certificate, open the installation link from your DigiCert email (subject line: Reissue Your DigiCert Code Signing Certificate (Order #)) in Internet Explorer, Chrome, or Safari*.

    When you open the link, the certificate is installed to the current user's personal certificate store for Windows and can be used by the WDK tools for signing drivers.

    *Browser Note: Because the certificate needs to be installed at the Operating System (OS) level, rather than the browser level, we recommend that you open the link in Internet Explorer, Chrome, or Safari. If you open the link in another browser (like Firefox), the certificate will be installed at the browser level rather than the OS level. You will then have to export the certificate from the browser to use it.

  2. Next, download the DigiCert Code Signing Cross-Certificate.

 

Downloading the Code Signing Cross-Certificate

Before you can use Signtool to sign applications, you need to download the DigiCert Code Signing Cross-Certificate on the computer where you installed your Code Signing Certificate. You will need to specify this certificate in Signtool.

Click here to download the DigiCert Code Signing Cross-Certificate.

 

Using Your Standard Kernel-Mode Code Signing Certificate

For general instructions on using your Standard Kernel-Mode Code Signing Certificate, we recommend that you download and read the Microsoft Kernel-Mode Code Signing Walkthrough document. This document contains in-depth instructions for getting started with kernel-mode code signing, as well as using a kernel-mode certificate to sign drivers and other applications.

Prepare to Sign Code by Installing the Windows SDK

In order to use SignTool.exe to sign your application, you need to either install Microsoft Visual Studio 2005 (or later), or on the machine where you will be signing code, download or install one of the following versions of Microsoft Windows SDK:

If you have the Windows SDK 6.0 or lower on Windows Vista, you can use the SignTool Digital Signature Wizard GUI interface. All new versions of the Windows SDK (7 and newer) require you to use the command line instructions below.

Internet Explorer or Chrome for Windows

If you installed your code signing certificate in Internet Explorer or Chrome on a Windows machine, the certificate will be accessible in the Windows Certificate Store.

If you have multiple Code Signing Certificates in your Windows Certificate Store, the commands in this instruction will sign your application with "the best" one, which may not be the correct one. You can use the next signtool command to sign your program with a specific certificate or use some of the other options in the SignTool documentation.

If you only have one Code Signing Certificate on your machine, do one of the following options:

Option 1: How to Sign Code with a SHA-256 Certificate/Digest Algorithm/Timestamp

Important: When using SHA-256 for signing, make sure to use the latest version of SignTool (6.3 or later) to avoid errors.

  1. In the Windows command prompt, enter the command below; modify the section in red to match your filename(s).

    signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /a /tr http://timestamp.digicert.com /td sha256 /fd sha256 "c:\path\to\FileToSign.cat"
  2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

    c:\Code>signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /a /tr http://timestamp.digicert.com /td sha256 /fd sha256 "c:\path\to\FileToSign.cat"
    Done Adding Additional Store
    Successfully signed and timestamped: FileToSign.cat

Option 2: How to Sign Code with a SHA-1 Certificate/Digest Algorithm/Timestamp

  1. In the Windows command prompt, enter the command below; modify the section in red to match your filename(s).

    signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /a /t http://timestamp.digicert.com "c:\path\to\FileToSign.cat"
  2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

    c:\Code>signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /a /t http://timestamp.digicert.com "c:\path\to\FileToSign.cat"
    Done Adding Additional Store
    Successfully signed and timestamped: FileToSign.cat

Firefox (or Another Browser) or Operating System

If you installed your Code Signing Certificate in Firefox (or another browser) or another operating system such as Mac OS X, do the following:

  1. Export the certificate as a PKCS#12 (pfx or p12) file.

  2. Once you have the code signing certificate saved as a PKCS#12 on your machine, do one of the following options from a Windows operating system:

    1. Option 1: How to Sign Code with a SHA-256 Certificate/Digest Algorithm/Timestamp

      Important: When using the SHA-256 timestamp or /fd sha256 please make sure the latest version of signtool (6.3 or newer) is used.

      1. Enter the following command, modify the section in red to match your filename(s):

        signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\FileToSign.cat"
      2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

        c:\Code>signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\FileToSign.cat"
    2. Option 2: How to Sign Code with a SHA-1 Certificate/Digest Algorithm/Timestamp

      1. Enter the following command, modify the section in red to match your filename(s):

        signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /t http://timestamp.digicert.com /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\FileToSign.cat"
      2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

        c:\Code>signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /t http://timestamp.digicert.com /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\FileToSign.cat"
 

Deciding the Location for Your Standard Code Signing Certificate

If you used Chrome, Internet Explorer, or Safari to downloaded your kernel-mode code signing certificate, it is automatically imported into the MMC (or Keychain on Mac computers). You can then sign drivers and applications using the certificate in Signtool.

However, certificates in the MMC or Keychain are exportable and thus could be exported and used by anyone who gains access to the computer. To protect your code signing certificate, you can export the kernel-mode certificate to a secure location and then remove the certificate from your computer. See Copy Driver Signing Certificates to Other Windows Workstations.

To remove the certificate, click Start > Run and type certmgr.msc. Click Personal > Certificates then select the code signing certificate and press delete. You can then sign applications and drivers using the exported .pfx file.