Web Analytics

FAQ: Kernel-Mode Code Signing Certificates

Many of SSL.com’s customers have questions about code signing in Windows, especially in regard to signing kernel-mode drivers. This FAQ answers common questions developers may have about kernel-mode code signing in Windows.

What kind of code signing certificate do I need to sign kernel-mode drivers in Windows 10?

An EV code signing certificate is required for kernel-mode code signing in Windows 10. For more information on code signing certificate validation levels and applications, please refer to our FAQ, Which Code Signing Certificate do I Need? EV or OV?

How do I sign kernel-mode drivers in Windows 10?

After acquiring an EV code signing certificate, your organization must register with the Windows Hardware Dev Center program. After you sign your driver with your EV certificate, it must be submitted for signing by Microsoft through the Hardware Dev Center. For complete information, please refer to Microsoft’s documentation:
Get started with the hardware dashboard program
Register for the Hardware Program
Hardware Submissions
Attestation signing a kernel driver for public release

How can I test a kernel-mode driver before release?

There are several options for developers who need to install and test their driver before it is signed for release by Microsoft:

Disable KernelMode Checks: Microsoft provides detailed instructions for disabling signature checks on kernel-mode drivers during development and testing.

Test Signing: You can have Microsoft test-sign your driver package by checking Perform test-signing for Win10 and above or Perform test-signing for OS below Win10 (legacy) in the hardware submission wizard. The test-signed file does not require HLK testing by Microsoft, and may only be run on test machines. Please see Microsoft’s hardware submission documentation for details on test signing.

test signing options

• Flight Signing: Flight-signed drivers are signed with a Microsoft Developer Test certificate that is trusted on “insider” builds of Windows 10 RS2 and above. You can flight sign your driver by checking Perform flight signing only during the hardware submission process. Please see Microsoft’s hardware submission documentation for details on flight signing.

Flight signing option

Do I need an EV code signing certificate to sign user-mode drivers in Windows 10 too?

Yes. According to Microsoft’s documentation on Signing a Driver for Public Release, “Starting in Windows 10, you also need to submit any new Windows 10 kernel mode driver for digital signing on the Windows Hardware Developer Center Dashboard portal. Both kernel and user mode driver submissions must have a valid Extended Validation (“EV”) Code Signing Certificate.”

Users can sign code with eSigner’s Extended Validation Code Signing capability. Click below for more info.

LEARN MORE

Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.

SSL.com Support Team

Author - Content Administrator
All Posts

Related FAQs

View All FAQs

Follow Us

Facebook Twitter Youtube Github

What is SSL/TLS?

Play Video

Subscribe to SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com and stay informed of the latest changes about digital identity and encryption that can impact and enhance your life.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.

Take Survey