Signing Kernel-Mode Drivers for Windows using EV Code Signing or OV Code Signing Certificates

Related Content

Want to keep learning?

Subscribe to SSL.com’s newsletter, stay informed and secure.

Submitting a kernel-mode driver in Windows requires the files to be signed with a Code Signing Certificate. This can be done either using an Extended Validation (EV) Code Signing or an Organization Validation (OV) Code Signing certificate. However you must have a valid EV Code Signing associated with the account. For more info on Kernel-Mode Signing Certificates, read here. First you need to Register for the Windows Hardware Dev Center program, which requires EV Code Signing to complete. Once you have done that, you can use either EV or OV Code Signing to sign your new hardware submissions. This option is not apparent in Microsoft documentation but can be found here, where the following wording appears:
You must have an active EV certificate bound to your company to access submission features in the dashboard. To confirm the certificate that is used to identify your organization within the Partner Center, see Update a code signing certificate. After you sign into the Partner Center and you are ready to sign your submission, you can use either a standard code signing cert or an EV code signing cert. This is true for all operating system versions, not just Windows 10. If you run into issues signing, Please contact support@ssl.com.
Before signing any drivers with your OV Code Signing Certificate, you first need to upload it to the Microsoft Partner Center. To complete this procedure, please follow the instructions provided in this guide. This guide will explain the steps taken in order to sign a new hardware submission with your Code Signing certificate. 
  1. Sign in to your account in Microsoft Partner Center (MPC). You should see this page:
  2. Click on the gear icon on the top right corner to access your account settings:
  3. Select Manage Certificates from the left panel. Then click “Download signable bin file.”You need to sign this file using /fd sha-256. Here you can use either your EV or OV Code Signing certificate.
  4. Drag and drop or browse to the signed file to upload it. Then click Finish.
  5. On the Certificate Management page, the status of your certificate should be “Active”:
  6. Click “Hardware” on the left panel of the Certificate Management page:
  7. Select Drivers and click on the “Submit New Hardware” button:
  8. Give your product a name and upload your package file by dragging and dropping or browsing to the files:
  9. Select the appropriate options regarding the versions of Windows for which you need your driver to apply.
  10. Click Submit at the bottom of the page:
  11. After a while, the package will be prepared:
  12. Check on the status of your driver. From Hardware, go to the Drivers Page and select the private product ID number. You will see a summary of your product, and if all is well, the Submission Status should be “Ready.”
This concludes the procedure of signing a new kernel-mode driver with an EV or OV Code Signing Certificate. If you have further questions, please contact support@ssl.com.

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.