EV Certificate

Hello,

I am about to buy an EV certificate to sign a kernel-mode driver I have to
run on Windows 10 with Secure Boot enabled.

From this web site
https://docs.microsoft.com/pt-br/windows-hardware/drivers/dashboard/update-a-code-signing-certificate
I see I can buy this certificate from these CAs: DigiCert, Entrust,
GlobalSign and Symantec.

But from this web site https://sysdev.microsoft.com/pt-BR/hardware/signup/
I see I can only buy from Symantec and DigiCert.

Does anyone know from what CAs I am able to buy the certificate? I already
sent an e-mail to Microsoft but got no answer from them.

Thanks,

-George

xxxxx@georgeluiz.com wrote:

I am about to buy an EV certificate to sign a kernel-mode driver I
have to run on Windows 10 with Secure Boot enabled.

From this web site
https://docs.microsoft.com/pt-br/windows-hardware/drivers/dashboard/update-a-code-signing-certificate
I see I can buy this certificate from these CAs: DigiCert, Entrust,
GlobalSign and Symantec.

But from this web site
https://sysdev.microsoft.com/pt-BR/hardware/signup/ I see I can only
buy from Symantec and DigiCert.

Does anyone know from what CAs I am able to buy the certificate? I
already sent an e-mail to Microsoft but got no answer from them.

I suspect the sysdev page is simply out of date.  The larger list is
accurate.  DigiCert bought Symantec’s certificate business, so there’s
one less choice now.

However, I want to make sure you understand how the EV certificate is
used.  To satisfy Secure Boot, you can’t just use your certificate to
sign the driver.  You have to create a driver package, create a CAB
file, sign the CAB file, and submit that to the Microsoft attestation
signature process.  The finished driver that you download can then be
used in a Secure Boot system.

The only reason you need an EV certificate is to create your Hardware
Dashboard account.  Once you have done that, the packages you submit can
be signed with any code-signing certificate, as long as you have
registered it with the Dashboard.  I happen to have both an EV and a
non-EV certificate registered, and both work for submissions.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

On Wed, Nov 22, 2017 at 1:00 PM, xxxxx@probo.com wrote:

> The only reason you need an EV certificate is to create your Hardware
> Dashboard account. Once you have done that, the packages you submit can
> be signed with any code-signing certificate, as long as you have
> registered it with the Dashboard. I happen to have both an EV and a
> non-EV certificate registered, and both work for submissions.
>
>
To add just a bit to Tim’s comments… if you want to do any kind of
automation around your builds and such, you almost certainly won’t want to
use the EV certificate for that, since they are nigh impossible to use
without you sitting at the keyboard interactively performing the signing.
So if you want automation, you will probably need one certificate of each
kind: one for getting a Hardware Dashboard account, the other than can be
used to sign drivers and submissions in an automated build system.


Jeremy Hurren
FSLogix, Inc.

Thanks Tim and Jeremy!

On Wed, Nov 22, 2017 at 10:11 PM, xxxxx@lordjeb.com
wrote:

> On Wed, Nov 22, 2017 at 1:00 PM, xxxxx@probo.com
> wrote:
>
>> The only reason you need an EV certificate is to create your Hardware
>> Dashboard account. Once you have done that, the packages you submit can
>> be signed with any code-signing certificate, as long as you have
>> registered it with the Dashboard. I happen to have both an EV and a
>> non-EV certificate registered, and both work for submissions.
>>
>>
> To add just a bit to Tim’s comments… if you want to do any kind of
> automation around your builds and such, you almost certainly won’t want to
> use the EV certificate for that, since they are nigh impossible to use
> without you sitting at the keyboard interactively performing the signing.
> So if you want automation, you will probably need one certificate of each
> kind: one for getting a Hardware Dashboard account, the other than can be
> used to sign drivers and submissions in an automated build system.
>
> –
> Jeremy Hurren
> FSLogix, Inc.
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> on crash dump analysis, WDF, Windows internals and software drivers!
> Details at To unsubscribe, visit the List Server section of OSR Online at


-George

Hello Tim,

On 11/22/2017 09:00 PM, Tim Roberts wrote:

[…]

The only reason you need an EV certificate is to create your Hardware
Dashboard account.  Once you have done that, the packages you submit can
be signed with any code-signing certificate, as long as you have
registered it with the Dashboard.  I happen to have both an EV and a
non-EV certificate registered, and both work for submissions.

Unfortunately, this is not the case. I tried today to sign the hlk package using
non EV certificate and the dashboard complained.


with best regards, Volodymyr.

xxxxx@shcherbyna.com wrote:

Hello Tim,

On 11/22/2017 09:00 PM, Tim Roberts wrote:

> The only reason you need an EV certificate is to create your Hardware
> Dashboard account.  Once you have done that, the packages you submit can
> be signed with any code-signing certificate, as long as you have
> registered it with the Dashboard.  I happen to have both an EV and a
> non-EV certificate registered, and both work for submissions.
>
Unfortunately, this is not the case. I tried today to sign the hlk package using
non EV certificate and the dashboard complained.

Had you registered that non-EV certificate with your dashboard
account?   I know it works for attestation signing – I’ve done it.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Tim beat me to the punch on this but I can add that with both the EV and non-EV certificate registered in our dashboard account, I’ve been able to sign the HLK package with the non-EV certificate and successfully get the submission accepted and drivers signed through the Microsoft dashboard. At least as of a couple of weeks ago.

Eric Berge
Quantum Corporation

Hello Tim,

On 11/28/2017 11:17 PM, Tim Roberts wrote:

[…]

Had you registered that non-EV certificate with your dashboard
account?   I know it works for attestation signing – I’ve done it.

Thanks. I missed that part. Once I registered non-EV SHA256 everything started
to work well :slight_smile:


with best regards, Volodymyr.

Whew! You guys scared me there for a minute.

We worked VERY hard on this issue about a year ago, to reverse what was then a pending decision to require EV Certs be used to sign every submission. Working with the greater OEM community, we managed to get that decision reversed… I would NOT be happy to discover that decision was overturned.

There are zillions of reasons why only needing a “normal” Class 3 Code Signing Cert for submissions is a good idea. The whole EV Cert thing is SUCH a PITA.

Peter
OSR