I did not want to hijack the other thread on creating certificates since I have few other questions about these.
The makecert that comes with WDK, is that the same that comes with .net? Is there really just single version of makecert that can be used across the board to create certificates for IIS or drivers or whatever?
Is it possible to use test certificate for commercial use? Yes, I know it sounds stupid (and a bit dangerous) but I don’t have the money to buy a certificate (especially that they expire). What if I created CA signing certificate (with my personal info) and ask user to trust it on target machine. Then I use that certficate to create certficate for my driver and since it signed by my CA trusted certificate all should work fine.
What are really my options with obtaining a certificate without paying any money. I want to release my driver to end users and obviously on win7 x64 I need a certificate.
Thanks,
lk
Looks like option 2 is not possible commercially since I am forced to use cross-certificate, correct?
On Wed, Jul 20, 2011 at 10:08 PM, wrote:
> 3.
> What are really my options with obtaining a certificate without
> paying any money. I want to release my driver to end users
> and obviously on win7 x64 I need a certificate.
Yes it is possible, I see two options.
1) Get donation of US$99 and pay for the certificates, you
do not need to pay, but your users may want to pay if your
driver is of some values to the users.
2) If you are developing an open source driver and fulfill
ReactOS project’s requirement, you can get it done by them.
http://reactos.org/wiki/Driver_Signing
Reference here:
http://social.msdn.microsoft.com/Forums/en-US/wdk/thread/c0ebaeaa-6550-41b5-ae4a-e5cf1c424ba4/
–
Xiaofan
>1) Get donation of US$99 and pay for the certificates, you
do not need to pay, but your users may want to pay if your
driver is of some values to the users.
I don’t mind spending $100 one time, but per year for renewal would be a pain. Do you know if there’s renewal fee on those certficates?
- If you are developing an open source driver and fulfill
ReactOS project’s requirement, you can get it done by them.
http://reactos.org/wiki/Driver_Signing
It is commercial, closed source 
I came across this when looking for free or low cost certificates for Win drivers:
In the September 2009 update to the Windows Root Certificate Program, Microsoft has added to the list of trusted root certificate authorities StartCom Ltd, …
http://www.sevenforums.com/system-security/28296-msft-adds-free-root-certificate-authority-windows.html
Is that true? Will this work for Win7 x64 drivers?
xxxxx@hotmail.com wrote:
> 1) Get donation of US$99 and pay for the certificates, you do not need to pay, but your users may want to pay if yourdriver is of some values to the users.
I don’t mind spending $100 one time, but per year for renewal would be a pain. Do you know if there’s renewal fee on those certficates?
Yes, they all expire. However, remember that the certificate only needs
to be valid at the time you do the signing. Once signed (and
timestamped), the signature is valid forever. You only need to renew if
you expect to build and distribute updated binaries.
I came across this when looking for free or low cost certificates for Win drivers:
In the September 2009 update to the Windows Root Certificate Program, Microsoft has added to the list of trusted root certificate authorities StartCom Ltd, …
http://www.sevenforums.com/system-security/28296-msft-adds-free-root-certificate-authority-windows.html
Is that true? Will this work for Win7 x64 drivers?
No. The root certificates are used to validate user apps and HTTPS web
pages, but KMCS doesn’t go through the root certificates. Instead, it
requires a certificate authority with a cross-certificate, so the chain
literally ends with the Microsoft Code-Signing Authority. As of now,
there are cross-certificates for exactly two valid CAs: Verisign and
GlobalSign.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Thanks, that helps so much!