The short story is recent VeriSign code signing cert renewals (late 2010 ? 2011) have an invalid certificate chain when used with the Microsoft Cross cert.
In 2010 VeriSign sent several emails warning about their upgrade to 2048-bit keys. 2048 bit keys will not be enforced until 2013, and there was not supposed to be any impact. As part of this change, VeriSign updated several certs in the signing certificate chain. This may cause problems for anyone that signs a 64 bit driver.
In late December 2010 I renewed my company’s code signing certificate with VeriSign. I downloaded the new cert, and exported the pfx file per the instructions on VeriSign’s website:
I deleted the old cert from our signing system and installed the new cert by double clicking on the pfx file and taking the defaults. This is the same process we have used every year after renewing our cert. Imagine my surprise when drivers from the first build we signed with the new cert would not load under W2k8 x64.
It required several support calls and an escalation with VeriSign to figure out what happened. It turns out the dates in the Cross Certificate Chain are in the wrong order, with the Microsoft cross cert expiring in 2016, which is before the new VeriSign intermediate cert that expires in 2020.
To resolve this problem VeriSign released an ?alternative? intermediate cert. There is a rather poorly written Knowledge base article that explains the black magic procedure to fix your certificate store:
Solution ID: SO16565
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO16565&actp=search&viewlocale=en_US
The alternative cert can be downloaded from:
Solution SO16565 omits a lot of steps, and contains a major error in step 3. To verify embedded kernel mode driver signatures you must use the ?/kp? option for ?signtool verify?, not the ?/pa? option as documented in the solution. If you use ‘/pa’ as documented, verify succeeds even though your 64 bit driver will not load.
Note that VeriSign blames this problem on Microsoft because Microsoft did not release a new cross cert. The VeriSign alternative intermediate cert has an expiration date of 2014, which comes after Microsoft?s expiration date of 2016. This fixes the cross certificate chain.
I hope this post saves others some time an pain.
David Schwartz