A forum for reverse engineering, OS internals and malware analysis 

All off-topic discussion goes here.
 #19692  by replic8tor
 Wed Jun 19, 2013 12:17 am
Hello.

I manage a large-ish Active Directory network. We have developed a file system driver for internal use only. Machines on the internal domain and network perimeter would be required to load this driver at boot. We run Active Directory Certificate Services, and all machines have the Root CA Cert in the machine store, as well as a Code Signing certificate in the machines trusted publishers store. I can get the machines loading the driver via test signing, however this is not a good solution in our long term.

Is it possible to have full driver signing support using AD and Certificate Services? This would seem like a common request, however I have found zero information on this topic from various technical sources. Utilizing outside certificates is just not possible in our environment, all executing code is highly trusted and enabling an outside party to have any kind of control would be unacceptable.

Thank you for your time.
 #19693  by EP_X0FF
 Wed Jun 19, 2013 5:19 am
Buy certificate.
 #19697  by replic8tor
 Wed Jun 19, 2013 12:15 pm
I could, but I don't control the root trust, and that's the entire point of having our own internal CA.
 #19707  by EP_X0FF
 Fri Jun 21, 2013 3:04 am
replic8tor wrote:I could, but I don't control the root trust, and that's the entire point of having our own internal CA.
And what prevents your from signing your driver with your purchased valid certificate for example from Symantec VeriSign.
http://msdn.microsoft.com/en-us/library ... s.85).aspx