Using private CA for signing drivers RRS feed

  • Question

  • I'm creating a Windows 7-64 bit driver for hardware that is only available in a private community.  This hardware or driver will never be available to the general public.  I currently sign the driver with a code signing certificate that is signed by my private CA.  I've put the certificates in the trusted CAs and trusted publishers certificate stores.  Yet, it seems I can't load the driver without having TESTSIGNING turned ON using BCDEDIT.

    I don't want to deliver the driver to this private community requiring them to turn test signing on.  Do I need to have my code signing certificate issued by a public CA like Thawte? 

    Must the code be timestamped as well by a public service?  How can this be done in a closed environment without Internet access?

    I don't understand how private / enterprise CAs have any utility if this is not possible.

    Thanks in advance for replying...

    Wednesday, July 3, 2013 3:37 PM

All replies

  • >> I've put the certificates in the trusted CAs and trusted publishers certificate stores. 

    When you add the Certificates snapin to MMC did you choose the "computer account"?  The certificates need to be there, not under a user account.

    When you installed the driiver kit is there any warning that the kit is not signed?

    Also try opening the .cat certificate and see if the Certification Path is okay.  

    The time stamping is needed if you might ever revocate the certificate.  The time stamp also prevents teh kit's signature from expiring when the signing certificate expires, so you really should time stamp the digital signarure.  There are instructions on setting up a local time server on MSDN.

    Good luck!  Jim 

    Wednesday, July 3, 2013 4:03 PM
  • When I install the driver I get a messagebox asking if its OK to install the driver from publisher I signed it with.  In fact there's a checkbox asking if I'd like to trust everything from that certifcate. 

    It definitely recognizes I signed the driver with my code signing cert that I signed with the selfsigned CA cert I created.

    The .cat file looks fine.  All of the certificates are 'OK'

    That's good I can set up a local time server

    The certificates are indeed in the 'computer' account.

    Should I expect to be able to sign a 64 bit kernel-mode driver with my own certificate from my private CA?  I've seen rumblings that I'd need a cross certificate from Microsoft for my CA and it doesn't suffice to simply trust a private CA chain when loading a kernel driver.

    Thanks, Rich

    Wednesday, July 3, 2013 8:12 PM
  • From what I've found, the signtool.exe in WDK 7 and VS2012+WDK8 automatically creates the needed cross-certificate chain on a .sys driver.  You can verify the driver's kernel-mode code signing with the following command.  (I used a VS2012 x64 Native Tools Command Prompt" command window)

    signtool verify /v /kp "driver.sys"

    It will show the "Cross Certificate Chain" if it is present.  The "Microsoft Code Verification Root" certificate is not visable in certmgr on my desktop system, but signtool reports the driver as successfully verified.  I think the "Microsoft Code Verification Root" certificate is kept somewhere other than the certificate store so that the boot loader can access it. 

    The kernel-mode code signing is s seperate step from the signing of the driver kit using the .cat file. If you are building with VS2012 you have to sign both the driver project and the Package project.  What tools are you using to build and sign the driver with?

    Cheers,  Jim

    Wednesday, July 3, 2013 8:47 PM
  • I've been using VS 2008 and WDK 7.1.1

    C:\WinDDK\7600.16385.1\src\fort\objfre_win7_amd64\amd64>signtool verify /v /kp "fort.sys"

    Verifying: Fort.sys
    Hash of file (sha1): 07EFCDDB2936E5F86958C829945CD2AD55F9126C

    Signing Certificate Chain:
        Issued to: My_CA
        Issued by: My_CA
        Expires:   Sat Dec 31 19:59:59 2039
        SHA1 hash: E28CF77AC380B4767ECAB708F0357574E9CFB080

            Issued to: My_SPC
            Issued by: My_CA
            Expires:   Sat Dec 31 19:59:59 2039
            SHA1 hash: 65C997B1A6560A625C32CA64250EC6D0D93C9C98

    The signature is timestamped: Tue Jul 02 11:02:39 2013
    Timestamp Verified by:
        Issued to: Thawte Timestamping CA
        Issued by: Thawte Timestamping CA
        Expires:   Thu Dec 31 19:59:59 2020
        SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

            Issued to: Symantec Time Stamping Services CA - G2
            Issued by: Thawte Timestamping CA
            Expires:   Wed Dec 30 19:59:59 2020
            SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

                Issued to: Symantec Time Stamping Services Signer - G4
                Issued by: Symantec Time Stamping Services CA - G2
                Expires:   Tue Dec 29 19:59:59 2020
                SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

    SignTool Error: Signing Cert does not chain to a Microsoft Root Cert.

    Number of files successfully Verified: 0
    Number of warnings: 0
    Number of errors: 1


    As you can see it complains about not chaining to a Microsoft Root Cert.  Did you use a private CA to create your code signing cert or did you use a code signing certificate that was purchased by a Microsoft recognized CA?

    Thanks,  you've been very helpful.

    Tuesday, July 16, 2013 2:40 PM