Cross-Certificates for Kernel Mode Code Signing
This information describes how to obtain and use cross-certificates for code-signing kernel-mode binary files for Microsoft Windows.
Please review Microsoft Security Advisory (2880823) "Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program" which describes a policy change wherein Microsoft will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016.
The Microsoft Trusted Root Program no longer supports root certificates that have kernel mode signing capabilities. For more info, see Deprecation of Software Publisher Certificates, Commercial Release Certificates, and Commercial Test Certificates.
A cross-certificate is a digital certificate issued by one Certificate Authority (CA) that is used to sign the public key for the root certificate of another Certificate Authority. Cross-certificates provide a means to create a chain of trust from a single, trusted, root CA to multiple other CAs.
In Windows, cross-certificates:
- Allow the operating system kernel to have a single trusted Microsoft root authority.
- Extend the chain of trust to multiple commercial CAs that issue Software Publisher Certificates (SPCs), which are used for code-signing software for distribution, installation, and loading on Windows
The cross-certificates that are provided here are used with the Windows Driver Kit (WDK) code-signing tools for properly signing kernel-mode software. Digitally signing kernel-mode software is similar to code-signing any software that is published for Windows. Cross-certificates are added to the digital signature by the developer or software publisher when signing the kernel-mode software. The cross-certificate itself is added by the code-signing tools to the digital signature of the binary file or catalog.
See Authenticode Signing of Third-party CSPs for more information about how to use cross-certificates to sign third-party Cryptographic Service Providers (CSPs).
Selecting the Correct Cross-certificate
Microsoft provides a specific cross-certificate for each CA that issues SPCs for code-signing kernel-mode code. The list below has a link to the correct cross-certificate for the root authority that issued your SPC.
Follow the steps below to identify your CA, and then download the related cross-certificate.
Open the Microsoft Management Console (MMC) and add the Certificates snap-in:
- Select the Start button, type “mmc” in the search box, and select mmc from the search results. If a User Account Control dialog box appears, select Yes.
- From the MMC File menu, select Add/Remove Snap-in, …
- Select the Certificates snap-in and select Add.
- Select My user account and select Finish.
- Select the Certificates snap-in again and select Add.
- Select Computer account and select Next.
- Select Local computer and select Finish.
Locate your SPC in the certificate store, and then double-click it. Your certificate is listed in one of the following two locations, depending on how the certificate was installed.
- The Current User, Personal, Certificates store, or
- The Local Computer, Personal, Certificates store
In the Certificate dialog box, select the Certification Path tab, and then select the top-most certificate in the certification path. This is the CA that is the issuing root authority for your SPC.
View the root authority certificate by selecting the View Certificate button, and then select the Details tab of the new Certificate dialog box.
Find the Issuer and Thumbprint for this certificate. Then locate the corresponding entry for this CA in the list below.
Download the related cross-certificate for the CA and use this cross-certificate together with your SPC when digitally signing kernel-mode code
The following list contains several new CAs that are currently supported by Microsoft for issuing SPCs for code-signing kernel-mode code.
|CA||Root certificate thumbprint||Expiration date||Download link|
|AddTrust External CA Root||a7 5a c6 57 aa 7a 4c df e5 f9 de 39 3e 69 ef ca b6 59 d2 50||2023/08/15||Download|
|GoDaddy Class 2 Certification Authority||d9 61 24 72 ef 0f 27 87 e2 b2 d9 e0 63 a0 6b 32 fa 5e 33 3d||2023/08/27||Download|
|Starfield Class 2 Certification Authority||f8 fc 7f 3c dd 51 76 ad d2 7c f9 7f 73 96 59 09 46 6d 9a 22||2023/08/27||Download|
|UTN-USERFirst-Object||ae 1e 25 26 01 30 a3 0b 1b c2 20 29 35 65 3b e5 a7 23 be f5||2023/08/15||Download|
Submit and view feedback for