Microsoft

Export/Import Kernel Mode Code Signing Certificates in Windows

You can use the DigiCert® Certificate Utility for Windows to export your Kernel Mode Code Signing Certificates for publishing drivers for Windows to additional Windows workstations.

To copy your Code Signing Certificate to another Windows workstation, do the following:

  1. Use the DigiCert Certificate Utility to Export your Kernel Mode code signing certificate.

    How to Export Your Kernel Mode Certificate with the DigiCert Utility

  2. Install the Kernel Mode certificate .pfx file to your other Windows workstation.

    How to Install Your Kernel Mode Certificate .pfx File

  3. Use your Kernel Mode code signing certificate to sign your files.

    How to Sign Your Files with Your Kernel Mode Driver Signing Certificate

 

1. How to Export Your Kernel Mode Certificate with the DigiCert Utility

  1. On your Windows workstation that you have the code signing certificate installed to the current user's Windows User Account, download and save the DigiCert® Certificate Utility for Windows executable (DigiCertUtil.exe).

  2. Run the DigiCert® Certificate Utility for Windows.

    Double-click DigiCertUtil.

  3. In the DigiCert Certificate Utility for Windows©, click Code Signing (blue and silver shield), select the certificate that you want to export, and then click Export Certificate.

    DigiCert Util - Kernel Certificate Export

  4. In the Certificate Export wizard, select Yes, export the private key, select pfx file, check Include all certificates in the certification path if possible, check Include kernel mode driver signing certificate path, and finally, click Next.

    DigiCert Utility Kernel Mode Driver Exporting Options

  5. In the Password and Confirm Password boxes, enter and confirm your password, and then, click Next.

    Note:    This password is required when you install your Kernel Mode driver signing certificate onto another Windows workstation.

    DigiCert Utility PFX Password Creation

  6. In the File name box, click to browse for and select the location and file name where you want to save the .pfx file, provide a file name (i.e. yourKernelModeDriverSigningCertificate ), click Save, and then, click Finish.

    Save driver signing certificate as a PFX file

  7. After you receive the "Your certificate has been successfully exported" message, click OK.

    successfully exported certificate

 

2. How to Install Your Kernel Mode Certificate .pfx File

  1. Copy the "yourKernelModeDriverSigningCertificate.pfx" to the new Windows workstation.

  2. Double-click on "yourKernelModeDriverSigningCertificate.pfx".

  3. In the Certificate Import Wizard, on the Welcome page, select Local Machine and then click Next.

    Windows Certificate Import Wizard

  4. On the File to Import page, click Browse to browse to and select the location where you want to save the certificate .pfx file and then click Next.

    Windows Certificate Import Wizard

  5. On the Private key protection page, in the Password box, enter the password that you created when you exported your code signing certificate, check Mark this key as exportable and Include all extended properties, and then click Next.

    Windows Certificate Import Wizard

  6. On the Certificate Store page, select Automatically select the certificate store based on the type of certificate and then click Next.

    Windows Certificate Import Wizard

  7. On the Completing the Certificate Import Wizard page, review the settings and then click Finish.

  8. When you receive "The import was successful" message, click OK.

  9. Cross-Certificate

  10. After you install the kernel signing certificate into the User's Account on your workstation, you need to download the DigiCert Cross-Certificate (aka Cross-Certificate) for kernel driver signing.

  11. Prepare Catalog File for Drivers

  12. After you install the code signing certificate file and download the Cross-Certificate, you then need to prepare the catalog file of your driver files.

    For instructions on how to prepare the Catalog File, see the Microsoft Kernel Mode Code Signing Walkthrough document.

 

3. How to Sign Your Files with Your Kernel Mode Driver Signing Certificate

  1. Open the Command Prompt as an admin.

    For Example:

    1. On the Windows Start screen, type cmd.

    2. Right-click on Command Prompt and then click Run as administrator.

    3. In the User Account Control window, click Yes to allow the program to make changes to the computer.

  2. In the Administrator: Command Prompt window, type one of the following commands:

    Note:     Where Organization Name is the name of the Code Signing Certificate. And, where "DigiCert High Assurance EV Root CA.crt" is the cross signed certificate referenced earlier in the instructions (Cross-Certificate).

    To Sign Code with a SHA256 Certificate/Digest Algorithm/Timestamp

    signtool.exe sign /v /ac "DigiCert High Assurance EV Root CA.crt" /s My /n "Organization Name" /tr http://timestamp.digicert.com /td sha256 /fd sha256 "c:\path\to\FileToSign.cat"

    To Sign Code with a SHA1 Certificate/Digest Algorithm/Timestamp

    signtool.exe sign /v /ac "DigiCert High Assurance EV Root CA.crt" /s My /n "Organization Name" /t http://timestamp.digicert.com "c:\path\to\FileToSign.cat"

    For all of the command-line options for using SignTool, please see Microsoft's Signtool Documentation Page.

  3. Congratulations, you should now have a freshly signed driver file.

    DigiCert Certificate Utility

    You can also use the DigiCert® Certificate Utility for Windows to sign your driver files. See Code Signing with the DigiCert® Certificate Utility for Windows.

    When using the utility to sign your driver files, make sure that in the Code Signing window you check Kernel Mode Signing – Check this box if you are signing kernel mode driver.

    Kernel-Mode

Troubleshooting

You can verify that your certificate was imported correctly using either of the following methods:

1. DigiCert Certificate Utility

After importing your certificate to the Certificate Store, you can verify that it's listed correctly by running the DigiCert® Certificate Utility for Windows on your computer.

In the DigiCert Certificate Utility for Windows©, click Code Signing (blue and silver shield). In the Code Signing Certificates section, you should see your certificate in the list of code signing certificates.

2. Managing your Certificate from the MMC Console

You can also verify the code signing certificate has been installed for the current user by running the Certificate Manager snap-in (certmgr.msc) in the MMC.

To open the Snap-In, go to Start > Run, type certmgr.msc, and press Enter. Expand Personal > Certificates. You should see your Authenticode certificate in the list of certificates.