Message 2 of 2
04 Feb 18 03:44
Join Date: 06 Apr 2011
Posts To This List: 149
Windows 7 X64 Driver Signing Certificate Problem
On Feb 4, 2018, at 12:00 AM, Dvir A firstname.lastname@example.org wrote:
> I have SafeNet token that contains 2 certificates (which the private key is
not exported), one is sha256 EV code certificate and the other is sha1 EV code
Who are the certificates from?
> I signed my drivers using sign tool
> Signtool sign /v /s my /n "my_company" /sha1 my_sha256_hash /t
> when I tried to load the driver, I got an error said that the system cannot
find the file specified.
How did you load the driver, and where did you see this error? That's not an
error that you would see with any driver loading method I know.
The biggest problem is that you have not specified the "cross certificate". In
addition to your certificate, kernel drivers have to be signed with a "cross
certificate" that verifies that your certificate authority is trusted by
Microsoft. Here is the list of certificate authorities Microsoft supports and
the downloadable cross certificate:
> When I run sign tool verify my driver.sys I got the following error: SignTool
Error: A certificate chain processed, but terminated in a root certificate which
is not trusted by the trust provider.
For kernel drivers, you need to use the "/kp" switch to do kernel checking. If
you do not see the "Microsoft Code Signing Authority" in the list, then you have
done it incorrectly.
> I tried to sign my cat file as well with my associated binaries but still no
luck with that.
You will definitely need to sign the CAT file. Signing the binary is optional,
although it makes debugging easier.
> I've read that there's a program called WHQL which in the end process
Microsoft give me my "good" signed drivers, is it only for Windows Update
distribution? or is it not necessary to run my driver in windows 7 x64 and
It's hard to imagine you have written a driver and prepared a driver package and
aren't familiar with WHQL.
Yes, if you run your driver through the WHQL testing process, Microsoft will
sign the package. That CAN lead to Windows Update distribution, but only if you
want it to. It is not necessary for loading a driver in Windows 7. The
situation changes a bit in Windows 10, but get past the first steps before we
talk about that.
Tim Roberts, email@example.com
Providenza & Boekelheide, Inc.