Digicert revoking kernel code signing certs with expiration after June 30, 2021

We just received an e-mail from Digicert, a portion of which I’ll quote here:

Microsoft recently notified us that one or more of the code signing certificates your organization uses to sign kernel-mode driver packages expires after June 30, 2021. According to Microsoft’s guidelines, certificates used to sign kernel-mode driver packages must expire before this date. You can find more information about Microsoft’s guidelines on the Microsoft docs site.
Starting on August 10, 2020, Microsoft will require that we revoke any code signing certificates that expire after June 30, 2021 and that are used to sign kernel-mode driver packages.

They further go on to say that they’ll replace our certificate with one that expires on April 15, 2021, the same day as the updated cross-certificate expiration.

We’ve previously been aware that the cross-certificates would expire early next year (the one we use was slated to go poof on Feb. 22, 2021). The Microsoft doc they reference mentions this, and it further stresses that certificates that expire after that will continue to work, just not for KMCS purposes. Nowhere do I see anything about a June 30 date or anything about revocation. Has anyone heard this information previously?

They also mentioned nothing about any compensation we may receive for losing over half of the duration of our 3-year certificate.

What are the impacts of the certificate being revoked? Is this comparable to an early expiration (e.g., new signatures will not work, but older code countersigned with a timestamp will continue to operate), or will even older code signed with this certificate now fail to load?

it just means that the cert can’t sign anything after the expiration date.
Before that all your signed stuff is good forever.

I personally hate this, as it will make our dev and test process subsist on
test signed drivers. For small companies and independent developers it
imposes the additional whql burden, or attestation signing which is easy
but useless for older os versions. We have to whql everything anyway so the
only burden is adding test mode to our test systems.

Mark Roddy

Thanks for the clarification.

I wish Microsoft would announce that they are extending attestation signing to work for Windows 7 & 8.1. We don’t have to WHQL most things, and the thought of having to do so just to drag along Windows 8.1 (7 will be gone soon enough) is not the least bit appealing.

I think they will HAVE to do that. There are many classes of drivers that do not have a WHQL category. Without attestation signing, you would have to instruct all of your users on how to add your certificate to their root store. Since most users are morons, that will simply never work.

Win7 will outlive W8. It always had bigger market share and happy user base.

OT: As soon as I can no longer use W7 I am out of Windows arena, and into
*nix.

@Dejan_Maksimovic said:
Win7 will outlive W8. It always had bigger market share and happy user base.

In general, I agree. In my specific case, though, we tend to sunset OS support within a year or two after Microsoft does so. Win7 will be gone for me before this time next year. I wish Win8.1 would go at the same time, and then I wouldn’t have to care about the “will attested signing work for backlevel OSes or not” question.

I am actively trying to get an updated, definitive, answer to what the precise plan is for driver signing for Windows OS versions prior to Win10. I think this is a very important issue.

I’ll let you all know when/if I hear anything definitive.

Peter

1 Like

@“Peter_Viscarola_(OSR)” said:
I am actively trying to get an updated, definitive, answer to what the precise plan is for driver signing for Windows OS versions prior to Win10. I think this is a very important issue.

I’ll let you all know when/if I hear anything definitive.

Thank you, Peter. As always, you are on top of things.

DigiCert has replaced our certificate with one expiring on April 15th, 2021. Support has been great to work with. However, when signing the driver I work on with the new certificate, put it through the HLK process, and submit it to Microsoft, it doesn’t seem to work. It may be this recent event or another problem. Get the error “A certificate was explicitly revoked by its issuer”. when starting the driver with NET START. I have the SignTool command, SignTool verification output before and after submitting the driver to the Microsoft portal if that helps.

Are you saying the HLK process did work? I was going to remind you that, if you have a new certificate, you have to register it with your dashboard account, but if the process worked and it’s the returned driver that doesn’t, then I’m all wet.

Tim,
Yes, did register the new certificate with the Microsoft Partner portal, and removed the old one so that the portal only showed the valid certificate. Thanks for the double-check.
I am including the SignTool command and verification output for both the pre and post portal process. If anyone sees something amiss, please say so, and many thanks!
Barry

======== Signing the catalog file before Microsoft Portal submission ========

Sign kit with this command - use with the new certificate from DigiCert for Microsoft changes for certificates

SignTool sign /v /tr http://timestamp.digicert.com ^
/td sha256 /fd sha256 ^
/ac DigiCert_High_Assurance_EV_Root_CA.crt ^
/sha1 044270294D3D56BC942163859C4180D074E67626 ^
AmNdis60.cat

C:\Users\VSISigning\Desktop\AM E32-1 driver and test submission 3 - no initial certificate\AM_E32-1_Driver_Package2\AM_E32_Driver_Package2> SignTool sign /v /tr http://timestamp.digicert.com
More? /td sha256 /fd sha256 ^
More? /ac DigiCert_High_Assurance_EV_Root_CA.crt ^
More? /sha1 044270294D3D56BC942163859C4180D074E67626 ^
More? AmNdis60.cat
The following certificate was selected:
Issued to: VMS Software, Inc.
Issued by: DigiCert EV Code Signing CA (SHA2)
Expires: Thu Apr 15 08:00:00 2021
SHA1 hash: 044270294D3D56BC942163859C4180D074E67626

Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 09:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

    Issued to: DigiCert High Assurance EV Root CA
    Issued by: Microsoft Code Verification Root
    Expires:   Thu Apr 15 15:55:33 2021
    SHA1 hash: 2F2513AF3992DB0A3F79709FF8143B3F7BD2D143

        Issued to: DigiCert EV Code Signing CA (SHA2)
        Issued by: DigiCert High Assurance EV Root CA
        Expires:   Sun Apr 18 08:00:00 2027
        SHA1 hash: 60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3

            Issued to: VMS Software, Inc.
            Issued by: DigiCert EV Code Signing CA (SHA2)
            Expires:   Thu Apr 15 08:00:00 2021
            SHA1 hash: 044270294D3D56BC942163859C4180D074E67626

Done Adding Additional Store
Successfully signed: amndis60.cat

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

C:\Users\VSISigning\Desktop\AM E32-1 driver and test submission 3 - no initial certificate\AM_E32-1_Driver_Package3_Signed_CAT\AM_E32_Driver_Package2>SignTool verify /v /pa AmNdis60.cat

Verifying: amndis60.cat

Signature Index: 0 (Primary Signature)
Hash of file (sha256): D50C4EBC2382F1CAA125CA86FA14402E767264CA130E11E47C5E0CBA1B55A839

Signing Certificate Chain:
Issued to: DigiCert High Assurance EV Root CA
Issued by: DigiCert High Assurance EV Root CA
Expires: Sun Nov 09 20:00:00 2031
SHA1 hash: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25

    Issued to: DigiCert EV Code Signing CA (SHA2)
    Issued by: DigiCert High Assurance EV Root CA
    Expires:   Sun Apr 18 08:00:00 2027
    SHA1 hash: 60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3

        Issued to: VMS Software, Inc.
        Issued by: DigiCert EV Code Signing CA (SHA2)
        Expires:   Thu Apr 15 08:00:00 2021
        SHA1 hash: 044270294D3D56BC942163859C4180D074E67626

The signature is timestamped: Thu Aug 06 18:23:03 2020
Timestamp Verified by:
Issued to: DigiCert Assured ID Root CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Nov 09 20:00:00 2031
SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

    Issued to: DigiCert SHA2 Assured ID Timestamping CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Tue Jan 07 08:00:00 2031
    SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297

        Issued to: TIMESTAMP-SHA256-2019-10-15
        Issued by: DigiCert SHA2 Assured ID Timestamping CA
        Expires:   Wed Oct 16 20:00:00 2030
        SHA1 hash: 0325BD505EDA96302DC22F4FA01E4C28BE2834C5

Successfully verified: amndis60.cat

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

======= Driver file signatures after Microsoft Portal submission =======

C:\Users\VSISigning\Desktop\AM E32-1 driver and test submission 3 - no initial certificate\Signed_1152921505690983398\drivers\7de375ef-c700-4aa6-b8b5-79daca58e9b2>SignTool verify /v /pa AmNdis60.sys

Verifying: AmNdis60.sys

Signature Index: 0 (Primary Signature)
Hash of file (sha256): FA29D8CD0C2F1F59367E5FF66DC1AD9C92333540436F2C1690BD0ED5C51C9035

Signing Certificate Chain:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sat Jun 23 18:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

    Issued to: Microsoft Windows PCA 2010
    Issued by: Microsoft Root Certificate Authority 2010
    Expires:   Sun Jul 06 16:50:23 2025
    SHA1 hash: C01386A907496404F276C3C1853ABF4A5274AF88

        Issued to: Microsoft Windows Hardware Compatibility Publisher
        Issued by: Microsoft Windows PCA 2010
        Expires:   Sun Jan 31 15:16:16 2021
        SHA1 hash: F8CB95569B64E7395CA7FA910449D82870C63F3E

The signature is timestamped: Thu Aug 06 21:21:31 2020
Timestamp Verified by:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sat Jun 23 18:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

    Issued to: Microsoft Time-Stamp PCA 2010
    Issued by: Microsoft Root Certificate Authority 2010
    Expires:   Tue Jul 01 17:46:55 2025
    SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE

        Issued to: Microsoft Time-Stamp Service
        Issued by: Microsoft Time-Stamp PCA 2010
        Expires:   Tue Mar 16 21:15:00 2021
        SHA1 hash: 313D4B1BF280123D17B222FD9FB9B1997D5A7D9B

Successfully verified: AmNdis60.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

C:\Users\VSISigning\Desktop\AM E32-1 driver and test submission 3 - no initial certificate\Signed_1152921505690983398\drivers\7de375ef-c700-4aa6-b8b5-79daca58e9b2>SignTool verify /v /pa /c AmNdis60.ca
t AmNdis60.sys

Verifying: AmNdis60.sys
File is signed in catalog: C:\Users\VSISigning\Desktop\AM E32-1 driver and test submission 3 - no initial certificate\Signed_1152921505690983398\drivers\7de375ef-c700-4aa6-b8b5-79daca58e9b2\amndis60.c
at
Hash of file (sha1): B06E8E335E8581A4BA0FC5755F30DA4C1E5E79D1

Signing Certificate Chain:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sat Jun 23 18:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

    Issued to: Microsoft Windows PCA 2010
    Issued by: Microsoft Root Certificate Authority 2010
    Expires:   Sun Jul 06 16:50:23 2025
    SHA1 hash: C01386A907496404F276C3C1853ABF4A5274AF88

        Issued to: Microsoft Windows Hardware Compatibility Publisher
        Issued by: Microsoft Windows PCA 2010
        Expires:   Sun Jan 31 15:16:16 2021
        SHA1 hash: F8CB95569B64E7395CA7FA910449D82870C63F3E

The signature is timestamped: Thu Aug 06 21:21:29 2020
Timestamp Verified by:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sat Jun 23 18:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

    Issued to: Microsoft Time-Stamp PCA 2010
    Issued by: Microsoft Root Certificate Authority 2010
    Expires:   Tue Jul 01 17:46:55 2025
    SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE

        Issued to: Microsoft Time-Stamp Service
        Issued by: Microsoft Time-Stamp PCA 2010
        Expires:   Tue Mar 16 21:15:00 2021
        SHA1 hash: 313D4B1BF280123D17B222FD9FB9B1997D5A7D9B

Successfully verified: AmNdis60.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

We are broken in a different way. We do almost no HLK/HCK testing (so I can’t really speak to the situation seen by @Kierstein), but we have an extensive network of VMs and OS images that we use for automated driver testing. The root cert that our new DigiCert certificate chains back to is not present on these images. Of course, this yields the nice red “Do you want to trust this vendor anyway?” popup during driver install, which breaks unattended installations, so we now need to go update and resave all of our images. Fun.

I still don’t understand why this was necessary. The cross-certificate already expired early next year. I’ve not found any documented reference to revocation requirements or the June 2021 date. I assume this was some bulletin that only CAs were privy to. :confused:

FYI - got the driver signed correctly and working with the new certificate. Used reissued certificate from DigiCert, downloaded and used the cross-certificate for DigiCert from the Microsoft site, normal HLK testing to create the test package, and then submitting to the Microsoft portal.

Kudos to the DigiCert support people that helped connect the dots.

@Kierstein said:
downloaded and used the cross-certificate for DigiCert from the Microsoft site

Was that the missing piece?