none
Cross-Certificate Signing.... RRS feed

  • Question

  • Ok, got my certificate from Certum, and followed the directions to the letter, with one exception.  At first, I stopped and contacted Certum, because none of the thumbprints matched.  They responded that "Microsoft Cross-Certificate co-operate with this certificate." and sent me to Microsoft.  It is at this point, I decide to go ahead and try it anyways.  Of course, it doesn't work, with "certificates might be out of date.  It's only 3 years old, but I've confirmed that my certificate is from "Certum Trusted Networks CA".

    Ok, I'm not a company.  I'm not really that much of a programmer.  I took someone else's code, went over it, and made some alterations so it would work in 64-bit mode.  I tested it in test mode (not going to stay there, sorry,) and it works just fine.  Started looking for an option that would fit my budget, considering I'm only using this for my own machine(s).

    So, I'm not sure what's left to do.  I cannot go elsewhere to get a certificate, I'm told what I have will work with the cross-certificate, but I cannot find one that matches.

    Thursday, March 6, 2014 7:39 AM

Answers

  • Two issues...

    1. These certificates do indeed expire, and if yours is 3 years old, it is possibly not good for new signing any longer (and timestamper services should refuse to sign it). Sorry...

    2. The /ac switch should specify the Microsoft's cross certificate file, not yours own Certum one!

    Also, as others noticed, the signtool works more reliably if your cert is specified as a file (as opposite to name and cert store name).

    Good luck,

    -- pa


    Sunday, March 9, 2014 12:49 PM
  • Do you mean "55 43 55 15 fd d2 48 65 75 fd c5 cf 3b ad 00 c9 13 12 3d 03" as listed here ?

    Then this is a short, well-formulated, easy to answer question to MS or Certum...

    -- pa

    Yes, that's the one I intended to past (the "62 52..." one is actually an intermediary certificate, a line down from the top. Sorry about that.

    As for the overall issue, got it solved.  Finally got an answer from someone with better English.  It turns out the low-cost certificate I got is "not" compatible with cross-signing.  In their case, I have to get the Microsoft Code Signing certificate ($170).  Well back to searching....

    I still wish MS offered some sort of personal machine certificate.

    • Marked as answer by JoeBunt Thursday, March 13, 2014 2:06 PM
    Thursday, March 13, 2014 2:06 PM

All replies

  • Did you follow the driver signing procedure?


    Ian Bakshan, Sr. Software Engineer at Jungo Connectivity LTD
    WinDriver – Driver Development Tool



    • Edited by Ian Bakshan Thursday, March 6, 2014 7:52 AM
    Thursday, March 6, 2014 7:50 AM
  • Yes, I followed those directions (it's how I got it working in test mode.)  The only difference is that I signed the .sys file directly.  The driver is designed to be a snap in-out type affair from the utility software I'm using.  It won't install through a .inf file.  Everything works just great as long as I'm in test mode.  Looked into getting a certificate, as I stated, so I won't have to go back into test mode to use it.  That's where I'm running into an issue.

    1. Altered the code so it would work on 64-bit system.  It was really just a bit of lazy coding on the part of the "original" writer (it's gone through several.)  Also read through the code to make sure everything would be ok.  A couple of minor tweaks here and there where the coding was a bit cumbersome (probably because of all the different authors its moved through.)

    2. Compiled the code, several times actually, with minor tweaks after each one.  Don't like warnings even.  During beta development maybe, but I was already happy with it.  Had been using it for quite a while on my XP 32-bit OS.  Also, was using the VS 2012 (with WKD, before you ask,) trial version.  I'm used to VS 2008, which is the one I own.  If I decide to play with the code any more (and I might, not a big fan of the utility software,) I'll be going back to what I know and am comfortable with.

    3. Tried out the software, clicked "install driver" no problem.  Yay, I said, clicked "start service" and that's when I got the certificate warning.

    4. Spent about a day searching the net.  Finally, just to make sure it worked right, signed it with a test certificate, rebooted into test mode, and tried it.  It worked great.  Tried all the features, and pushed it in every way I could think, no problems.  So, I uninstalled it, and rebooted out of test mode.

    5. Got a certificate from Certum after confirming that it "should" work through cross-certificate signing.  I had first wanted to get one that wouldn't require that, but I'm an end user only.  I want it for this one thing for personal use.  I'm not wanting to produce or distribute anything.  I'm also on a fixed income, so my budget had to be maintained as well.

    6. Searched the cross-certificate list, only one there for Certum, and the thumbprint didn't match.

    7. Contacted Certum, and was assured that cross-certificate signing would work just fine, but that I had to get the cross-certificate file from Microsoft.

    8. Went through all the ones on the page, none of the thumbprints matched.  So I downloaded the one labeled Certum.

    9. Followed the directions precisely on installing the test certificate.  Got the message I mentioned above.  This certificate would not exist in the chain (or something like that.)  Did a search on the web, but was unable to find an answer other than others have run into this problem (with several different companies.)  It seems that MS may be slow in updating the list.

    10. Tried contacting MS, but I already blew my budget for the next few months. So, I posted here, hoping to get help.

    Command line actually used to try and sign the certificate (below)   Got the error message.  Tried moving my certificate to other trusted stores (with the same result.)  Tried re-compiling the .sys file and signing one that hasn't already been signed.  Tried signing it with my certificate then running it again with the CA file.  Tried, installing the cross-certificate file into multiple stores.   Didn't think anything would work with the error I was getting, but it was worth a shot.

    signtool sign /s "My" /n <my certificate> /ac <certum's CA file> /t <certum's timestamp>"
    Saturday, March 8, 2014 2:08 AM

  • One more thing that you can try is to update root certificates via Windows Update or directly download the latest version from here.

    If this does not work I think that you should contact Certum for support. I don't really understand their answer.


    Ian Bakshan, Sr. Software Engineer at Jungo Connectivity LTD
    WinDriver – Driver Development Tool
    DriverCore – PC USB Drivers


    Sunday, March 9, 2014 11:48 AM
  • I can't see how this certificate can be expired, it is literally weeks old.  Valid from 3/2/14 to 3/2/15.  Only good for a year, but if I can get it up and running, that won't be a problem.  Also, getting it extended isn't that difficult.

    None of the root certificate updates applied (WinXP or literally years old.)  Tried them anyways, already had later updates or wrong system messages.  I'll contact Certum again, but I don't think they speak English very well. In all honesty I'm not sure I understand their answer either... Other than contact Microsoft (which was very clear,) there was the line "You cannot sign driver in core mode." then "For those purposes you can use Microsft Cross Signing." followed by "Microsoft cross-certificate cooperate with this certificate." Other than assurances that "it will work," that's the clearest it got :(

    It would be so much easier if MS just put out something that would let it work on "this" system and no other. Maybe I'd have to re-sign it every time I upgraded something, or had a large update, but I could put up with that. The security on a piece of SW I have, for example, is rather annoying at times. I install a game and it says "I'm on a new system," update your code access. Not that much of a problem, a quick phone call, or a visit to a web site, and it's back up, but still a little annoying. Why can't MS do something like that?  Here, create your own certificate (maybe like the test certificate.)  It encodes itself with your HW/SW profile code (or whatever it is that other company does.)  Then, as long as the codes match (since I manually created it on my own system,) it will except it.  If I put it on, say, my sister's computer.... Up pops the invalidated certificate warning (and refusal to install.)

    Still, that doesn't help the problem.  How often does MS update the cross certificate list?  Has anyone noticed?  I've only been watching it for a couple of weeks now (which reminds me, I haven't checked it in a few days.)

    Wednesday, March 12, 2014 8:39 AM
  • If you have MSDN subscription you should have several support tickets available. Otherwise you can open a support ticket for 99$ (if I am not mistaken).

    Ian Bakshan, Sr. Software Engineer at Jungo Connectivity LTD
    WinDriver – Driver Development Tool
    DriverCore – PC USB Drivers

    Wednesday, March 12, 2014 9:55 AM
  • Nope, those instructions don't seem to help.  Contacting Certum again.  I really think the issue lies in the thumbprint.  The top entry (Certum) on my certificate has a thumbprint of "62 52 dc 40 f7 11 43 a2 2f de 9e f7 34 8e 06 42 51 b1 81 18" which doesn't exist anywhere in the cross certification list.  The Certum entry in that list has a thumbprint of "62 52 dc 40 f7 11 43 a2 2f de 9e f7 34 8e 06 42 51 b1 81 18".

    Now, either Certum has  multiple chains of certificates they issue, or Microsoft hasn't updated the cross-signing certificate with the new key that Certum is using.  Either way, it's blocking me from using them to get my driver installed.  I can easily believe the Certum as a large number of different chains they issue certificates through.  But it seems that the top of the chain would always come back to the same place.  Maybe not, though.

    Now, I'm not trying to make a sob story here, but if I could afford to pay $99 to ask a single question, I probably wouldn't be here, I would have just paid the $200 to get a kernel mode certificate in the first place.  I think I stated I'm on a tight budget, and I'm an individual not a company.  I'm on a fixed income of $600 a month, with which I have to pay rent, utilities, groceries, and medications.  Now, I have a lot of free time, but despite what many say, time is not really money.



    • Edited by JoeBunt Wednesday, March 12, 2014 4:25 PM Huge chunk of text just wasn't there after last submission
    Wednesday, March 12, 2014 4:21 PM
  • Do you mean "55 43 55 15 fd d2 48 65 75 fd c5 cf 3b ad 00 c9 13 12 3d 03" as listed here ?

    Then this is a short, well-formulated, easy to answer question to MS or Certum...

    -- pa

    Yes, that's the one I intended to past (the "62 52..." one is actually an intermediary certificate, a line down from the top. Sorry about that.

    As for the overall issue, got it solved.  Finally got an answer from someone with better English.  It turns out the low-cost certificate I got is "not" compatible with cross-signing.  In their case, I have to get the Microsoft Code Signing certificate ($170).  Well back to searching....

    I still wish MS offered some sort of personal machine certificate.

    • Marked as answer by JoeBunt Thursday, March 13, 2014 2:06 PM
    Thursday, March 13, 2014 2:06 PM