Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category, below.

EV Certificate

Hello,

I am about to buy an EV certificate to sign a kernel-mode driver I have to
run on Windows 10 with Secure Boot enabled.

From this web site
https://docs.microsoft.com/pt-br/windows-hardware/drivers/dashboard/update-a-code-signing-certificate
I see I can buy this certificate from these CAs: DigiCert, Entrust,
GlobalSign and Symantec.

But from this web site https://sysdev.microsoft.com/pt-BR/hardware/signup/
I see I can only buy from Symantec and DigiCert.

Does anyone know from what CAs I am able to buy the certificate? I already
sent an e-mail to Microsoft but got no answer from them.

Thanks,
--
-George

Comments

  • Tim_RobertsTim_Roberts Posts: 12,566
    xxxxx@georgeluiz.com wrote:
    >
    > I am about to buy an EV certificate to sign a kernel-mode driver I
    > have to run on Windows 10 with Secure Boot enabled.
    >
    > From this web site
    > https://docs.microsoft.com/pt-br/windows-hardware/drivers/dashboard/update-a-code-signing-certificate
    > I see I can buy this certificate from these CAs: DigiCert, Entrust,
    > GlobalSign and Symantec.
    >
    > But from this web site
    > https://sysdev.microsoft.com/pt-BR/hardware/signup/ I see I can only
    > buy from Symantec and DigiCert.
    >
    > Does anyone know from what CAs I am able to buy the certificate? I
    > already sent an e-mail to Microsoft but got no answer from them.
    >

    I suspect the sysdev page is simply out of date.  The larger list is
    accurate.  DigiCert bought Symantec's certificate business, so there's
    one less choice now.

    However, I want to make sure you understand how the EV certificate is
    used.  To satisfy Secure Boot, you can't just use your certificate to
    sign the driver.  You have to create a driver package, create a CAB
    file, sign the CAB file, and submit that to the Microsoft attestation
    signature process.  The finished driver that you download can then be
    used in a Secure Boot system.

    The only reason you need an EV certificate is to create your Hardware
    Dashboard account.  Once you have done that, the packages you submit can
    be signed with any code-signing certificate, as long as you have
    registered it with the Dashboard.  I happen to have both an EV and a
    non-EV certificate registered, and both work for submissions.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • On Wed, Nov 22, 2017 at 1:00 PM, xxxxx@probo.com wrote:

    > The only reason you need an EV certificate is to create your Hardware
    > Dashboard account. Once you have done that, the packages you submit can
    > be signed with any code-signing certificate, as long as you have
    > registered it with the Dashboard. I happen to have both an EV and a
    > non-EV certificate registered, and both work for submissions.
    >
    >
    To add just a bit to Tim's comments... if you want to do any kind of
    automation around your builds and such, you almost certainly won't want to
    use the EV certificate for that, since they are nigh impossible to use
    without you sitting at the keyboard interactively performing the signing.
    So if you want automation, you will probably need one certificate of each
    kind: one for getting a Hardware Dashboard account, the other than can be
    used to sign drivers and submissions in an automated build system.

    --
    Jeremy Hurren
    FSLogix, Inc.
  • Thanks Tim and Jeremy!

    On Wed, Nov 22, 2017 at 10:11 PM, xxxxx@lordjeb.com
    wrote:

    > On Wed, Nov 22, 2017 at 1:00 PM, xxxxx@probo.com
    > wrote:
    >
    >> The only reason you need an EV certificate is to create your Hardware
    >> Dashboard account. Once you have done that, the packages you submit can
    >> be signed with any code-signing certificate, as long as you have
    >> registered it with the Dashboard. I happen to have both an EV and a
    >> non-EV certificate registered, and both work for submissions.
    >>
    >>
    > To add just a bit to Tim's comments... if you want to do any kind of
    > automation around your builds and such, you almost certainly won't want to
    > use the EV certificate for that, since they are nigh impossible to use
    > without you sitting at the keyboard interactively performing the signing.
    > So if you want automation, you will probably need one certificate of each
    > kind: one for getting a Hardware Dashboard account, the other than can be
    > used to sign drivers and submissions in an automated build system.
    >
    > --
    > Jeremy Hurren
    > FSLogix, Inc.
    > --- NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
    > on crash dump analysis, WDF, Windows internals and software drivers!
    > Details at To unsubscribe, visit the List Server section of OSR Online at




    --
    -George
  • Hello Tim,

    On 11/22/2017 09:00 PM, Tim Roberts wrote:

    [...]

    > The only reason you need an EV certificate is to create your Hardware
    > Dashboard account.  Once you have done that, the packages you submit can
    > be signed with any code-signing certificate, as long as you have
    > registered it with the Dashboard.  I happen to have both an EV and a
    > non-EV certificate registered, and both work for submissions.
    >

    Unfortunately, this is not the case. I tried today to sign the hlk package using
    non EV certificate and the dashboard complained.

    --
    with best regards, Volodymyr.
  • Tim_RobertsTim_Roberts Posts: 12,566
    xxxxx@shcherbyna.com wrote:
    > Hello Tim,
    >
    > On 11/22/2017 09:00 PM, Tim Roberts wrote:
    >
    >> The only reason you need an EV certificate is to create your Hardware
    >> Dashboard account.  Once you have done that, the packages you submit can
    >> be signed with any code-signing certificate, as long as you have
    >> registered it with the Dashboard.  I happen to have both an EV and a
    >> non-EV certificate registered, and both work for submissions.
    >>
    > Unfortunately, this is not the case. I tried today to sign the hlk package using
    > non EV certificate and the dashboard complained.

    Had you registered that non-EV certificate with your dashboard
    account?   I know it works for attestation signing -- I've done it.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Tim beat me to the punch on this but I can add that with both the EV and non-EV certificate registered in our dashboard account, I've been able to sign the HLK package with the non-EV certificate and successfully get the submission accepted and drivers signed through the Microsoft dashboard. At least as of a couple of weeks ago.

    Eric Berge
    Quantum Corporation
  • Hello Tim,

    On 11/28/2017 11:17 PM, Tim Roberts wrote:

    [...]

    >
    > Had you registered that non-EV certificate with your dashboard
    > account?   I know it works for attestation signing -- I've done it.
    >

    Thanks. I missed that part. Once I registered non-EV SHA256 everything started
    to work well :)

    --
    with best regards, Volodymyr.
  • <quote>
    I've been able to sign the HLK
    package with the non-EV certificate and successfully get the submission accepted
    and drivers signed through the Microsoft dashboard
    </quote>

    Whew! You guys scared me there for a minute.

    We worked VERY hard on this issue about a year ago, to reverse what was then a pending decision to require EV Certs be used to sign every submission. Working with the greater OEM community, we managed to get that decision reversed... I would NOT be happy to discover that decision was overturned.

    There are zillions of reasons why only needing a "normal" Class 3 Code Signing Cert for submissions is a good idea. The whole EV Cert thing is SUCH a PITA.

    Peter
    OSR

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!