SSL.com

FAQ: Kernel-Mode Code Signing Certificates

Many of SSL.com’s customers have questions about code signing in Windows, especially in regard to signing kernel-mode drivers. This FAQ answers common questions developers may have about kernel-mode code signing in Windows.

What kind of code signing certificate do I need to sign kernel-mode drivers in Windows 10?

An EV code signing certificate is required for kernel-mode code signing in Windows 10. For more information on code signing certificate validation levels and applications, please refer to our FAQ, Which Code Signing Certificate do I Need? EV or OV?

An OV code signing certificate can be used for signing with Windows Authenticode. For an EV code signing certificate to be used, it must be currently valid and associated with the Microsoft Developer program account.

How do I sign kernel-mode drivers in Windows 10?

After acquiring an EV code signing certificate, your organization must register with the Windows Hardware Dev Center program. After you sign your driver with your EV certificate, it must be submitted for signing by Microsoft through the Hardware Dev Center. For complete information, please refer to Microsoft’s documentation:
Get started with the hardware dashboard program
Register for the Hardware Program
Hardware Submissions
Attestation signing a kernel driver for public release

How can I test a kernel-mode driver before release?

There are several options for developers who need to install and test their driver before it is signed for release by Microsoft:

Disable KernelMode Checks: Microsoft provides detailed instructions for disabling signature checks on kernel-mode drivers during development and testing.

Test Signing: You can have Microsoft test-sign your driver package by checking Perform test-signing for Win10 and above or Perform test-signing for OS below Win10 (legacy) in the hardware submission wizard. The test-signed file does not require HLK testing by Microsoft, and may only be run on test machines. Please see Microsoft’s hardware submission documentation for details on test signing.

test signing options

• Flight Signing: Flight-signed drivers are signed with a Microsoft Developer Test certificate that is trusted on “insider” builds of Windows 10 RS2 and above. You can flight sign your driver by checking Perform flight signing only during the hardware submission process. Please see Microsoft’s hardware submission documentation for details on flight signing.

Do I need an EV code signing certificate to sign user-mode drivers in Windows 10 too?

Yes. According to Microsoft’s documentation on Signing a Driver for Public Release, “Starting in Windows 10, you also need to submit any new Windows 10 kernel mode driver for digital signing on the Windows Hardware Developer Center Dashboard portal. Both kernel and user mode driver submissions must have a valid Extended Validation (“EV”) Code Signing Certificate.”

Users can sign code with eSigner’s Extended Validation Code Signing capability. Click below for more info.

LEARN MORE

Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.
Exit mobile version