none
Getting proper certificate chain RRS feed

  • Question

  • I received an open source code signing certificate from Certum.eu and am trying to sign a simple driver I made. The certificate chain goes CertumCA -> Certum Level III CA -> Me. I understand that since it does not chain up to Microsoft Root Cert, I need a cross certificate to link "CertumCA" to Microsoft Root CA?

    I went here (https://msdn.microsoft.com/en-us/library/windows/hardware/dn170454(v=vs.85).aspx) and downloaded the Certum Trusted Network CA however, it links "Microsoft Code Verification Root" to "Certum Trusted Network CA" which doesnt look like it will link to my chain. Further, it says "Windows does not have enough information to verify this certificate."

    I went to Certums site, https://www.certum.eu/certum/cert,expertise_root_certificates.xml, and downloaded their "Certum Certification Authority" certificate. While I was able to cross sign my driver.sys with that, I looked and it only Links "Certum CA" to "Certum CA" which still does not link to Microsoft Root CA. 

    Any advice? Thank you

    Here is what I was using:

    signtool sign /v /a /ac CA.crt /f MyPfx.pfx /p -=PASSWORD=- /tr http://timestamp.golbalsign.com/scripts/timestamp.dll MyDriver.sys

    CA.crt is the Certum Certification Authority I downloaded from the Certum website. However, the signtool verify /v /kp MyDriver.sys is where I get the error saying the chain doesnt link to a Microsoft Root Cert.

    Thursday, May 7, 2015 9:07 PM

Answers