A forum for reverse engineering, OS internals and malware analysis 

Obtaining certificate and signing the driver for production

Forum for discussion about kernel-mode development.

Obtaining certificate and signing the driver for production

 #31583  by grechkoed
 Thu May 17, 2018 8:55 pm
Hello!

I'm developing a driver for startup project and I was asked to sign the driver for public release so that software was ready for selling. I've never done this before.
I've read the following article: https://docs.microsoft.com/en-us/window ... ic-release
But I want to ask someone who did this before because buying certificate is not so cheap and I want to be sure that it's the right way.
So, questions:
  • Is this article up to date?
  • What kind of certificate this startup need to buy? Link from this article to "Get a VeriSign Certificate." article is dead
  • What's the average price of a certificate for driver signing?
  • Is it really necessary to submit the driver to Windows Hardware Developer Center Dashboard to install it successfully on newer Windows versions?
Thank you!

Re: Obtaining certificate and signing the driver for production

 #31585  by Vrtule
 Fri May 18, 2018 7:09 am
Hello,

to load your driver on Windows Vista-8.1 (x64) and WIndows 10* with Secure Boot DISABLED, you may use a standard code signing certificate. They are not so expensive and can be obtained also by individuals (i.e. you do not need to have a company to acquire the cert). To sign a driver for this purpose, just use the SignTool utility.

If your driver needs to run on Windows 10* with Secure Boot enabled you need an EV code signing certificate. They are more expensive that standard ones and may be acquired only for companies. To sign your driver for this case, you need to send it to Microsoft and go through the Atestation signing process.

AFAIK your driver needs to pass some tests when you with to load it on Windows Server 2016. Search mailing lists at osronline.com, there are quite a lot about practical driver signing since people are quite confused about it.

Personally, I got a standard code signing certificate (since I do not have a company) for myself from Certum (https://www.certum.eu/certum/cert,offer ... igning.xml). They are pretty cheap, however, you need to pay extra EUR 150 for a smart card if you do not have one. Their certificates are issued only on smart cards.

You can definitely obtain the certificate from other CAs, however, Certum has some advantages, especially for me:
* their certificates are quite cheap,
* their vetting process (identity verification) is straightforward (at least for Europeans), They also plainly tell you what documents you need to pass the identity verification.

-----------------------------

So, if you need to sign your driver for a real production, you have to acquire the EV code singing certificate.
 Return to “Kernel-Mode Development”