Release-Signing a Driver File

Use the following SignTool command to embed a Software Publisher Certificate (SPC) signature in a driver file. To comply with the kernel-mode code signing policy, boot-start driver for 64-bit versions of Windows Vista and later versions of Windows must have an embedded SPC signature.

SignTool sign /v /ac CrossCertificateFile /s SPCCertificateStore /n SPCCertificateName /t DriverFileName.sys


  • The sign command configures SignTool to embed a signature in the file DriverFileName.sys.

  • The /v verbose option configures SignTool to print execution and warning messages.

  • The /ac CrossCertificateFile option specifies the cross-certificate .cer file that is associated with the SPC that is specified by SPCCertificateName.

  • The /s SPCCertificateStore option specifies the name of the Personal certificate store that holds the SPC that is specified by SPCCertificateName. As described in Software Publisher Certificate (SPC), the certificate information must be contained in a .pfx file, and the information in the .pfx file must be added to the Personal certificate store of the local computer. The Personal certificate store is specified by the option /s my.

  • The /n SPCCertificateName option specifies the name of the certificate in the SPCCertificateStore certificate store.

  • The /t option supplies the URL to the publicly-available time-stamp server that VeriSign provides.

  • DriverFileName.sys is the name of the driver file.

The following command embeds a signature in Toaster.sys that is generated from a certificate named "" in the Personal "my" certificate store and the corresponding cross-certificate Rsacertsvrcross.cer. In addition, the signature is time-stamped by the time stamp service In this example, Toaster.sys is in the amd64 subdirectory under the directory in which the command is run.

SignTool sign /v /ac c:\lab\rsacertsrvcross.cer /s my /n /t amd64\toaster.sys