Loading drivers in windows 10 with the help of certificate store without enabling testsigning mode?

Good morning/evening everyone.

We are a small company that have developed a windows driver for our internal use only. considering that this is for internal use only, we don’t want to go through the trouble of getting an EV certificate just so we can load it locally in our local network. We also don’t want to enable test signing or disable driver signature enforcement just so we can load our driver.

now this might be a rookie question, but is there anyway that we can load this driver in our local network without testsigning or getting an EV cert, or disabling driver signature enforcement? for example can we use the certificate store and add something to it, or using group policies in order to successfully force our computers in our network to trust and load our driver? note that as i stated, we don’t want to enable testsigning mode, or disable driver signature enforcement or secure boot, because that introduces security problems. we just want our driver to get loaded without any issues, is there any solution? again sorry if this is a rookie question, we are new to driver development.

With regards,
Henrik Almeida.

is there any way that we can load this driver in our local network without test signing, or getting an EV cert, or disabling driver signature enforcement?

Simple answer here: No.

ETA: Assuming we’re talking Windows 10, just get the EV Cert and attestation sign the driver. It’ll take you 20 minutes, max.

Peter

@“Peter_Viscarola_(OSR)” said:

is there any way that we can load this driver in our local network without test signing, or getting an EV cert, or disabling driver signature enforcement?

Simple answer here: No.

ETA: Assuming we’re talking Windows 10, just get the EV Cert and attestation sign the driver. It’ll take you 20 minutes, max.

Peter

I had no idea getting an EV certificate is as easy as 20 minutes! i thought there’s this whole process of proving to an EV certificate provider that we are a trustworthy company that takes weeks?

What’s the best way to get an EV certificate to sign drivers, for a very small company (10-15 people) that is in Europe and not US? We don’t even have our website up yet. I tried googling but there were many complicated articles from different providers about this. can you simplify the process please? for example there seems to be many companies that offer EV certificate, which one provides the fastest way the get the certificate and what are the requirements to get it?

No, no, no… Getting the EV Cert doesn’t take 20 minutes! But it’s not much more difficult than that, at least in the US. You fill a form, they Google your company name and address, you get a phone call to verify that you’re human, you download your certificate onto an eToken, and you’re done.

The 20 minutes that I quoted was the process involved in getting your driver Attestation Signed by Microsoft. Which requires you to have an EV Cert.
You create a package, you sign it, you upload it… 20 minutes or less later you download it. You’re done.

In terms of getting an EV Cert, you’re going to have a more difficult time if you don’t have any Internet presence.

I don’t work for a Certification Authority, so there’s little guidance I can give you. But given your situation, I *would * recommend you choosing a European CA – they might be in a better position to “understand” what “proofs” you need to produce (as opposed to some entity that’s used to dealing with US companies, who don’t know the first thing about how business is done in the EU).

Sorry if my reply mislead you. But the whole EV Cert process really isn’t usually a big deal. At all. And getting your driver attestation signed is even a smaller deal.

Peter

ETA (again, sorry): Certum is based in the EU and is part of the MSFT Trusted Root Certificate Program. They might be one company that you can start talking with. I have no connection to, or personal experience with, this company. Just recognize the name.

If these are all machines under your control, you can turn “Secure Boot” off in the BIOS. That will allow you to self-sign with the old “cross certificate” method.

At least for now.

you can turn “Secure Boot” off in the BIOS. That will allow you to self-sign with the old “cross certificate” method.

Yes, Tim’s absolutely right. Good point.

Because the machines are all “yours” you could conceivably turn off secure boot and that should then allow you to install a cross-signed driver. At least, this did actually work originally when the Win10 driver signing program debuted and when I last checked (which was at least a couple of years back).

Point taken.

Peter

There is also another way for avoiding Microsoft signature: if you set the registry key to make Windows 10 think that is has been installed as an upgrade from pre-10 version, you will be able to load cross-signed drivers even without turning Secure Boot off. (Although I have not checked it in the latest Windows versions; last time I tried, it was on 1909, and it worked fine then.)

In this scenario you won’t even need an EV certificate, the normal one would do, and it’s cheaper and more easily obtained (AFAIK). However, this path is a perilous one, due to Microsoft deprecating the whole cross-signing scheme. After the cross-certificate expires, the corresponding code-signing certificate will become useless for kernel-mode software (and it’s even possible that MS may force the deprecation before that term). But if you purchase EV, you will be able to reuse it for obtaining Microsoft signature, when cross-signing stops working.

@CaptainFlint said:
There is also another way for avoiding Microsoft signature: if you set the registry key to make Windows 10 think that is has been installed as an upgrade from pre-10 version, you will be able to load cross-signed drivers even without turning Secure Boot off. (Although I have not checked it in the latest Windows versions; last time I tried, it was on 1909, and it worked fine then.)

In this scenario you won’t even need an EV certificate, the normal one would do, and it’s cheaper and more easily obtained (AFAIK). However, this path is a perilous one, due to Microsoft deprecating the whole cross-signing scheme. After the cross-certificate expires, the corresponding code-signing certificate will become useless for kernel-mode software (and it’s even possible that MS may force the deprecation before that term). But if you purchase EV, you will be able to reuse it for obtaining Microsoft signature, when cross-signing stops working.

Very interesting, What is the registry key?

@Richard_M said:

Very interesting, What is the registry key?

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy]
"UpgradedSystem"=dword:00000001

Hmmm… I’d be curious to know if this allowed PnP drivers to load, or PnP drivers to be installed, or both.

I know for sure that it will allow driver to load — not sure of the install.

FWIW, if it works, I think relying on this — when you can just get an EV Cert and Attestation Sign your drivers — is a very poor choice.

Peter

@“Peter_Viscarola_(OSR)” said:
No, no, no… Getting the EV Cert doesn’t take 20 minutes! But it’s not much more difficult than that, at least in the US. You fill a form, they Google your company name and address, you get a phone call to verify that you’re human, you download your certificate onto an eToken, and you’re done.

The 20 minutes that I quoted was the process involved in getting your driver Attestation Signed by Microsoft. Which requires you to have an EV Cert.
You create a package, you sign it, you upload it… 20 minutes or less later you download it. You’re done.

In terms of getting an EV Cert, you’re going to have a more difficult time if you don’t have any Internet presence.

I don’t work for a Certification Authority, so there’s little guidance I can give you. But given your situation, I *would * recommend you choosing a European CA – they might be in a better position to “understand” what “proofs” you need to produce (as opposed to some entity that’s used to dealing with US companies, who don’t know the first thing about how business is done in the EU).

Sorry if my reply mislead you. But the whole EV Cert process really isn’t usually a big deal. At all. And getting your driver attestation signed is even a smaller deal.

Peter

ETA (again, sorry): Certum is based in the EU and is part of the MSFT Trusted Root Certificate Program. They might be one company that you can start talking with. I have no connection to, or personal experience with, this company. Just recognize the name.

Thank you for the suggestion, I will contact them soon. although considering that we are a very small company with no internet presence, i am not that hopeful, but let’s see what happens. I wish there was a simpler option for smaller companies like us than an EV cert.

@Tim_Roberts said:
If these are all machines under your control, you can turn “Secure Boot” off in the BIOS. That will allow you to self-sign with the old “cross certificate” method.

At least for now.

The problem is that turning secure boot off will introduce security problems, and we cant do that. so i suppose getting an EV certificate is the only option for us? how hard is it to get an EV certificate if you are a very small company with no website or internet presence? Isn’t there a better option for small companies like us?

Isn’t there a better option for small companies like us?

and

I wish there was a simpler option for smaller companies like us than an EV cert.

@henrik_meida C’mon… Send some emails, make some phone calls. It’ll take you less time to talk to a couple of EU-based CAs than it takes you to repeatedly complain here about how hard you think it might be for you to get an EV Cert.

Folks have been complaining about this here in the Community for years. What it comes down to is people need to stop complaining and spend some time doing their homework. There are lots of things involved with running a business that are like this – That’s life in the 21st Century, right?

The guidelines that any CA has to follow to be able to issue an EV Cert are here. You’ll note that there’s nothing here about the size of the business, or the business having an Internet presence. OSR is a business as small as yours… we never had even the tiniest bit of trouble with the EV Cert process.

The “trick” is how any given CA operationalizes these guidelines. IOW, what does the CA require from you to demonstrate to them that “the Subject… legally exists as a valid organization or entity”. THAT’s why you need to talk to somebody knowledgeable at the CA.

Certum’s policies (just to randomly choose one that I know is in the EU, again… I know nothing about this particular CA) are here. You’ll see that they require your company name, address, the name of the incorporating or registering entity, your registration number. They need to also verify that whoever is signing the EV contract is authorized to do so.

Seriously… those are tasks that any business should be able to undertake without undo burden. Get your General Manager or his/her admin to do some work, and you should be fine. Once it’s done, it’s done, and you don’t have to worry about it again.

Peter

1 Like

@“Peter_Viscarola_(OSR)” said:

Isn’t there a better option for small companies like us?

and

I wish there was a simpler option for smaller companies like us than an EV cert.

@henrik_meida C’mon… Send some emails, make some phone calls. It’ll take you less time to talk to a couple of EU-based CAs than it takes you to repeatedly complain here about how hard you think it might be for you to get an EV Cert.

Folks have been complaining about this here in the Community for years. What it comes down to is people need to stop complaining and spend some time doing their homework. There are lots of things involved with running a business that are like this – That’s life in the 21st Century, right?

The guidelines that any CA has to follow to be able to issue an EV Cert are here. You’ll note that there’s nothing here about the size of the business, or the business having an Internet presence. OSR is a business as small as yours… we never had even the tiniest bit of trouble with the EV Cert process.

The “trick” is how any given CA operationalizes these guidelines. IOW, what does the CA require from you to demonstrate to them that “the Subject… legally exists as a valid organization or entity”. THAT’s why you need to talk to somebody knowledgeable at the CA.

Certum’s policies (just to randomly choose one that I know is in the EU, again… I know nothing about this particular CA) are here. You’ll see that they require your company name, address, the name of the incorporating or registering entity, your registration number. They need to also verify that whoever is signing the EV contract is authorized to do so.

Seriously… those are tasks that any business should be able to undertake without undo burden. Get your General Manager or his/her admin to do some work, and you should be fine. Once it’s done, it’s done, and you don’t have to worry about it again.

Peter

Thank you peter for guiding me through this. after reading the document you shared, it eased my mind a bit as i didn’t see any big requirement for getting an EV in it. I always thought only certain big companies can get an EV but it seems like our chance of getting one is pretty high actually.

I already contacted several CAs for getting an EV and things are looking good, thank you again.

Henrik.