Cross-Certificates for Kernel Mode Code Signing
- 6 minutes to read
-
Contributors
This information describes how to obtain and use cross-certificates for code-signing kernel-mode binary files for Microsoft Windows.
Note Please also review Microsoft Security Advisory (2880823) "Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program" which describes a policy change wherein Microsoft will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016.
Cross-Certificates Overview
A cross-certificate is a digital certificate issued by one Certificate Authority (CA) that is used to sign the public key for the root certificate of another Certificate Authority. Cross-certificates provide a means to create a chain of trust from a single, trusted, root CA to multiple other CAs.
In Windows, cross-certificates:
- Allow the operating system kernel to have a single trusted Microsoft root authority.
- Extend the chain of trust to multiple commercial CAs that issue Software Publisher Certificates (SPCs), which are used for code-signing software for distribution, installation, and loading on Windows
The cross-certificates that are provided here are used with the Windows Driver Kit (WDK) code-signing tools for properly signing kernel-mode software. Digitally signing kernel-mode software is similar to code-signing any software that is published for Windows. Cross-certificates are added to the digital signature by the developer or software publisher when signing the kernel-mode software. The cross-certificate itself is added by the code-signing tools to the digital signature of the binary file or catalog.
See Authenticode Signing of Third-party CSPs for more information about how to use cross-certificates to sign third-party Cryptographic Service Providers (CSPs).
Selecting the Correct Cross-certificate
Microsoft provides a specific cross-certificate for each CA that issues SPCs for code-signing kernel-mode code. The list below has a link to the correct cross-certificate for the root authority that issued your SPC.
Follow the steps below to identify your CA, and then download the related cross-certificate.
Open the Microsoft Management Console (MMC) and add the Certificates snap-in:
- Click the Start button, type “mmc” in the search box, and press return. If a User Account Control dialog box appears, click Yes.
- From the MMC File menu, select Add/Remove Snap-in, …
- Select the Certificates snap-in and click Add.
- Select My user account and click Finish.
- Select the Certificates snap-in again and click Add.
- Select Computer account and click Next.
- Select Local computer and click Finish.
Locate your SPC in the certificate store, and then double-click it. Your certificate is listed in one of the following two locations, depending on how the certificate was installed.
- The Current User, Personal, Certificates store, or
- The Local Computer, Personal, Certificates store
In the Certificate dialog box, click on the Certification Path tab, and then select the top-most certificate in the certification path. This is the CA that is the issuing root authority for your SPC.
- View the root authority certificate by clicking the View Certificate button, and then click the Details tab of the new Certificate dialog box.
- Find the Issuer and Thumbprint for this certificate. Then locate the corresponding entry for this CA in the list below.
- Download the related cross-certificate for the CA and use this cross-certificate together with your SPC when digitally signing kernel-mode code
Cross-Certificate List
The following list contains all of the CAs that are currently supported by Microsoft for issuing SPCs for code-signing kernel-mode code.
| CA | Root certificate thumbprint | Download link |
|---|---|---|
| Certum Trusted Network CA | 55 43 55 15 fd d2 48 65 75 fd c5 cf 3b ad 00 c9 13 12 3d 03 | Download |
| DigiCert Assured ID Root CA | ba 3e a5 4d 72 c1 45 d3 7c 25 5e 1e a4 0a fb c6 33 48 b9 6e | Download |
| DigiCert Global Root CA | c9 83 39 19 f1 f3 6a 63 48 11 1e 93 02 6f d4 0e b9 6f bc 34 | Download |
| DigiCert High Assurance EV Root CA | 2f 25 13 af 39 92 db 0a 3f 79 70 9f f8 14 3b 3f 7b d2 d1 43 | Download |
| Entrust.net Certification Authority (2048) | 00 a3 e6 00 9e aa 73 9b 3d ee f4 b5 06 64 9d 8a 1a 7a d3 3a | Download |
| Entrust Root Certification Authority – G2 | d8 fc 24 87 48 58 5e 17 3e fb fb 30 75 c4 b4 d6 0f 9d 8d 08 | Download |
| GeoTrust Primary Certification Authority | e8 6e 80 82 99 0e 3d fa ed 81 6d 9e b1 72 0f 91 a4 f1 a1 85 | Download |
| GeoTrust Primary Certification Authority – G3 | b2 bb bd fa c8 f1 a8 ad 58 95 cd 49 38 4b 22 ca 19 db 2d 1f | Download |
| GlobalSign Root CA | cc 1d ee bf 6d 55 c2 c9 06 1b a1 6f 10 a0 bf a6 97 9a 4a 32 | Download |
| Go Daddy Root Certificate Authority – G2 | 84 2c 5c b3 4b 73 bb c5 ed 85 64 bd ed a7 86 96 7d 7b 42 ef | Download |
| NetLock Arany (Class Gold) | 89 4f 1d 28 97 aa 4c 07 4d cd 85 c5 fc 09 ee 73 b9 51 04 d8 | Download |
| NetLock Platina (Class Platinum) | 97 dd 74 97 16 20 57 29 41 dc 80 0c 2f d8 0a 48 07 7d 10 b0 | Download |
| Security Communication RootCA1 | 41 f2 8c e5 6f d8 b9 cb 46 7f b5 03 2a 3c ae 1c dc 9d 86 48 | Download |
| Starfield Root Certificate Authority – G2 | 40 c2 0a 9a 33 fa d0 36 ac bf e8 2d 6c bb ee 1b 42 9b 86 de | Download |
| StartCom Certification Authority | e6 06 9e 04 8d ea 8d 81 7a fc 41 88 b1 be f1 d8 88 d0 af 17 | Download |
| TC TrustCenter Class 2 CA II | 42 62 ff 7d 89 70 66 aa e7 75 80 d3 3a d2 88 03 f9 a1 1a 62 | Download |
| Thawte Primary Root CA | 55 38 e9 fe c1 40 30 b7 40 15 23 49 e1 15 a1 16 5d 29 07 4a | Download |
| Thawte Primary Root CA – G3 | ba 57 ca 5e 78 dd 2d 1d 74 76 ae be e9 95 3e 39 6f d0 55 46 | Download |
| VeriSign Class 3 Public Primary Certification Authority – G5 | 57 53 4c cc 33 91 4c 41 f7 0e 2c bb 21 03 a1 db 18 81 7d 8b | Download |
| VeriSign Universal Root Certification Authority | 9e d8 cd 56 01 f0 10 56 51 eb bb 3f 57 f0 31 82 e5 fa 7e 01 | Download |
New Cross-Certificate List
The following list contains several new CAs that are currently supported by Microsoft for issuing SPCs for code-signing kernel-mode code.
| CA | Root certificate thumbprint | Download link |
|---|---|---|
| AddTrust External CA Root | a7 5a c6 57 aa 7a 4c df e5 f9 de 39 3e 69 ef ca b6 59 d2 50 | Download |
| GoDaddy Class 2 Certification Authority | d9 61 24 72 ef 0f 27 87 e2 b2 d9 e0 63 a0 6b 32 fa 5e 33 3d | Download |
| Starfield Class 2 Certification Authority | f8 fc 7f 3c dd 51 76 ad d2 7c f9 7f 73 96 59 09 46 6d 9a 22 | Download |
| UTN-USERFirst-Object | ae 1e 25 26 01 30 a3 0b 1b c2 20 29 35 65 3b e5 a7 23 be f5 | Download |