Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 13 November 2017

Kernel Debugging & Crash Analysis for Windows, Nashua (Amherst) NH, 4 December 2017

Writing WDF Drivers I: Core Concepts, Nashua (Amherst) NH, 8 January 2018

WDF Drivers II: Advanced Implementation Techniques, Nashua (Amherst) NH, 15 January 2018


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 9  
22 Nov 17 14:32
George Bittencourt
xxxxxx@georgeluiz.com
Join Date: 22 Nov 2017
Posts To This List: 2
EV Certificate

Hello, I am about to buy an EV certificate to sign a kernel-mode driver I have to run on Windows 10 with Secure Boot enabled. From this web site https://docs.microsoft.com/pt-br/windows-hardware/drivers/dashboard/update-a-code -signing-certificate I see I can buy this certificate from these CAs: DigiCert, Entrust, GlobalSign and Symantec. But from this web site https://sysdev.microsoft.com/pt-BR/hardware/signup/ I see I can only buy from Symantec and DigiCert. Does anyone know from what CAs I am able to buy the certificate? I already sent an e-mail to Microsoft but got no answer from them. Thanks, -- -George --
  Message 2 of 9  
22 Nov 17 15:01
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 11673
EV Certificate

xxxxx@georgeluiz.com wrote: > > I am about to buy an EV certificate to sign a kernel-mode driver I > have to run on Windows 10 with Secure Boot enabled. > > From this web site > https://docs.microsoft.com/pt-br/windows-hardware/drivers/dashboard/update-a-code -signing-certificate > I see I can buy this certificate from these CAs: DigiCert, Entrust, > GlobalSign and Symantec. > > But from this web site <...excess quoted lines suppressed...> I suspect the sysdev page is simply out of date.  The larger list is accurate.  DigiCert bought Symantec's certificate business, so there's one less choice now. However, I want to make sure you understand how the EV certificate is used.  To satisfy Secure Boot, you can't just use your certificate to sign the driver.  You have to create a driver package, create a CAB file, sign the CAB file, and submit that to the Microsoft attestation signature process.  The finished driver that you download can then be used in a Secure Boot system. The only reason you need an EV certificate is to create your Hardware Dashboard account.  Once you have done that, the packages you submit can be signed with any code-signing certificate, as long as you have registered it with the Dashboard.  I happen to have both an EV and a non-EV certificate registered, and both work for submissions. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 3 of 9  
22 Nov 17 19:12
Jeremy Hurren
xxxxxx@lordjeb.com
Join Date: 04 Oct 2013
Posts To This List: 7
EV Certificate

On Wed, Nov 22, 2017 at 1:00 PM, xxxxx@probo.com <xxxxx@lists.osr.com> wrote: > The only reason you need an EV certificate is to create your Hardware > Dashboard account. Once you have done that, the packages you submit can > be signed with any code-signing certificate, as long as you have > registered it with the Dashboard. I happen to have both an EV and a > non-EV certificate registered, and both work for submissions. > > To add just a bit to Tim's comments... if you want to do any kind of automation around your builds and such, you almost certainly won't want to use the EV certificate for that, since they are nigh impossible to use without you sitting at the keyboard interactively performing the signing. So if you want automation, you will probably need one certificate of each kind: one for getting a Hardware Dashboard account, the other than can be used to sign drivers and submissions in an automated build system. -- Jeremy Hurren FSLogix, Inc. --
  Message 4 of 9  
24 Nov 17 04:11
George Bittencourt
xxxxxx@georgeluiz.com
Join Date: 22 Nov 2017
Posts To This List: 2
EV Certificate

Thanks Tim and Jeremy! On Wed, Nov 22, 2017 at 10:11 PM, xxxxx@lordjeb.com <xxxxx@lists.osr.com> wrote: > On Wed, Nov 22, 2017 at 1:00 PM, xxxxx@probo.com <xxxxx@lists.osr.com> > wrote: > >> The only reason you need an EV certificate is to create your Hardware >> Dashboard account. Once you have done that, the packages you submit can >> be signed with any code-signing certificate, as long as you have >> registered it with the Dashboard. I happen to have both an EV and a >> non-EV certificate registered, and both work for submissions. >> >> <...excess quoted lines suppressed...> -- -George --
  Message 5 of 9  
28 Nov 17 14:21
Volodymyr M. Shcherbyna
xxxxxx@shcherbyna.com
Join Date: 07 Oct 2010
Posts To This List: 166
EV Certificate

Hello Tim, On 11/22/2017 09:00 PM, Tim Roberts wrote: [...] > The only reason you need an EV certificate is to create your Hardware > Dashboard account.  Once you have done that, the packages you submit can > be signed with any code-signing certificate, as long as you have > registered it with the Dashboard.  I happen to have both an EV and a > non-EV certificate registered, and both work for submissions. > Unfortunately, this is not the case. I tried today to sign the hlk package using non EV certificate and the dashboard complained. -- with best regards, Volodymyr.
  Message 6 of 9  
28 Nov 17 17:18
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 11673
EV Certificate

xxxxx@shcherbyna.com wrote: > Hello Tim, > > On 11/22/2017 09:00 PM, Tim Roberts wrote: > >> The only reason you need an EV certificate is to create your Hardware >> Dashboard account.  Once you have done that, the packages you submit can >> be signed with any code-signing certificate, as long as you have >> registered it with the Dashboard.  I happen to have both an EV and a >> non-EV certificate registered, and both work for submissions. >> <...excess quoted lines suppressed...> Had you registered that non-EV certificate with your dashboard account?   I know it works for attestation signing -- I've done it. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 7 of 9  
29 Nov 17 10:34
Eric Berge
xxxxxx@gmail.com
Join Date: 17 Oct 2011
Posts To This List: 17
EV Certificate

Tim beat me to the punch on this but I can add that with both the EV and non-EV certificate registered in our dashboard account, I've been able to sign the HLK package with the non-EV certificate and successfully get the submission accepted and drivers signed through the Microsoft dashboard. At least as of a couple of weeks ago. Eric Berge Quantum Corporation
  Message 8 of 9  
02 Dec 17 09:49
Volodymyr M. Shcherbyna
xxxxxx@shcherbyna.com
Join Date: 07 Oct 2010
Posts To This List: 166
EV Certificate

Hello Tim, On 11/28/2017 11:17 PM, Tim Roberts wrote: [...] > > Had you registered that non-EV certificate with your dashboard > account?   I know it works for attestation signing -- I've done it. > Thanks. I missed that part. Once I registered non-EV SHA256 everything started to work well :) -- with best regards, Volodymyr.
  Message 9 of 9  
04 Dec 17 12:16
Peter Viscarola (OSR)
xxxxxx@osr.com
Join Date:
Posts To This List: 5952
List Moderator
EV Certificate

<quote> I've been able to sign the HLK package with the non-EV certificate and successfully get the submission accepted and drivers signed through the Microsoft dashboard </quote> Whew! You guys scared me there for a minute. We worked VERY hard on this issue about a year ago, to reverse what was then a pending decision to require EV Certs be used to sign every submission. Working with the greater OEM community, we managed to get that decision reversed... I would NOT be happy to discover that decision was overturned. There are zillions of reasons why only needing a "normal" Class 3 Code Signing Cert for submissions is a good idea. The whole EV Cert thing is SUCH a PITA. Peter OSR
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 21:42.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license