DPInst Error code 0x800B0110: The certificate is not valid for the requested usage

NTDEV
1

Hi,

I am using an NSIS script to launch DPInste.exe, and install my usb driver.
The script is designed to work for Windows XP, Vista and 7 32-bit versions (using the UAC plug-in to get around
UAC install issues). I enable the quietInstall mode for DPInst.

I have created a cat file from my inf using inf2cat (with an Authenticode from Verisign) , and signed the cat and sys files using
signtool, as per the KMCS walkthrough.

These tools seem to run OK, this is my command prompt: (I have edited some text to protect my company’s identity as required, please excuse this)



C:\MyDriverPkg>inf2cat /driver:C:\MyDriverPkg /os:XP_X86,Vista_X86,7_X86


Signability test complete.

Errors:
None

Warnings:
None

Catalog generation complete.
C:\MyDriverPkg\mydriver.cat





C:\MyDriverPkg>signtool sign /v /s my /t http://timestamp.verisign.com/scrip
ts/timstamp.dll mydriver.cat
The following certificate was selected:
Issued to: My Company
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Sat Sep 17 08:59:59 2011
SHA1 hash: D12F979F349C4ABD73E63B014C689EFF7D43883F

Done Adding Additional Store
Successfully signed and timestamped: mydriver.cat

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0



C:\MyDriverPkg>signtool sign /v /s my /t http://timestamp.verisign.com/scrip
ts/timstamp.dll mydriver.sys

The following certificate was selected:
Issued to: My Company
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Sat Sep 17 08:59:59 2011
SHA1 hash: D12F979F349C4ABD73E63B014C689EFF7D43883F

Done Adding Additional Store
Successfully signed and timestamped: mydriver.sys

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

C:\MyDriverPkg>





C:\MyDriverPkg>signtool verify /pa /v /c mydriver.cat mydriver.sys

Verifying: mydriver.sys
File is signed in catalog: mydriver.cat
Hash of file (sha1): 357539C8F21369BAF2B28A8B3A637684A87C1729

Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: Wed Aug 02 08:59:59 2028
SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2

Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Tue May 21 08:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3

Issued to: My Company
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Sat Sep 17 08:59:59 2011
SHA1 hash: D12F979F349C4ABD73E63B014C689EFF7D43883F

The signature is timestamped: Wed Apr 13 16:18:10 2011
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 08:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: Wed Dec 04 08:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

Issued to: VeriSign Time Stamping Services Signer - G2
Issued by: VeriSign Time Stamping Services CA
Expires: Fri Jun 15 08:59:59 2012
SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

Successfully verified: mydriver.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0



-> When I use my script to install these files on Vista Home Basic 32-bit, the pre-install works without a problem.
However on XP Professional 32-bit, DPInst fails with the message:

“Invalid signature. Possibly rejected by user. (Error code 0x800B0110: The certificate is not valid for the requested usage.)”

Here is the full output from DPInst.log:


INFO: 04/13/2011 17:37:33
INFO: Product Version 2.1.0.0.
INFO: Version: 5.1.2600 Service Pack 3
INFO: Platform ID: 2 (NT)
INFO: Service Pack: 3.0
INFO: Suite: 0x0100, Product Type: 1
INFO: Architecture: X86.
INFO: Interactive Windows Station
INFO: Command Line: ‘“C:\Program Files\MyCompany\dpinst.exe” /q /lm’
INFO: DPInst is not multi-lingual.
INFO:
INFO: Current working directory: ‘C:\Program Files\MyCompany’
INFO: Running on path ‘C:\Program Files\MyCompany’
INFO: User UI Language is 0x409.
INFO: Install option set: Running in quiet mode. Suppressing Wizard and OS popups.
INFO: Install option set: legacy mode on.
INFO: Found driver package: ‘C:\Program Files\MyCompany\mydriver.inf’.
INFO: Preinstalling ‘c:\program files\MyCompany\mydriver.inf’ …
INFO: ENTER: DriverPackagePreinstallW
INFO: Copied ‘mydriver.inf’ to driver store…
INFO: Copied ‘mydriver.cat’ to driver store…
INFO: Commiting queue…
INFO: Copied file: ‘c:\program files\MyCompany\mydriver.sys’ -> ‘C:\WINDOWS\system32\DRVSTORE\mydriv_D531FA477FCDA397330F99BEE84528C407D1B84D\mydriver.sys’.
ERROR: Invalid signature. Possibly rejected by user. (Error code 0x800B0110: The certificate is not valid for the requested usage.)
INFO: Removed driver package from store.
INFO: RETURN: DriverPackagePreinstallW (0x800B0110)
INFO: Returning with code 0x80010000
INFO: 04/13/2011 17:37:34
INFO: ****************************************

I have read that is not necessary to have signed drivers for XP, so I tried enabling the legacy mode switch
in DPInst (as above), but it failed with the same error. Besides, I thought that even if the drivers are signed, they should install
anyway without needing legacy mode, correct?

In the “Driver Signing” options of the Hardware tab in System Properties, the action to take is
set to “Warn”, although this warning pop-up never appears.

I have checked the similar issue in this post: http://www.osronline.com/showthread.cfm?link=155831 but it doesn’t offer any solution.

Does anybody have any ideas on how I might fix this issue? Many thanks for your help.

Best regards,

Daire

2

What happens if you remove the ‘silent’ option. Does DPInst/DifX/SetupAPI
toss up a prompt to allow the user to approve the unsigned driver?

IIRC the only kind of signature that will be acceptable to XP is a WHQL
signature or a signature from a ‘self-signed’ certificate (root certificate)
that is both in the Trusted Root and Trusted Publisher stores. For whatever
reason, a subordinate certificate does not work on XP for driver catalogs.

So if you really don’t care about XP, you could create a completely unsigned
package for it (no .cat at all) or you might try creating a package signed
by a self-signed certificate that you pre-install into the correct stores
before introducing the driver package.

Good Luck,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Wednesday, April 13, 2011 11:51 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] DPInst Error code 0x800B0110: The certificate is not valid
for the requested usage

Hi,

I am using an NSIS script to launch DPInste.exe, and install my usb driver.
The script is designed to work for Windows XP, Vista and 7 32-bit versions
(using the UAC plug-in to get around
UAC install issues). I enable the quietInstall mode for DPInst.

I have created a cat file from my inf using inf2cat (with an Authenticode
from Verisign) , and signed the cat and sys files using
signtool, as per the KMCS walkthrough.

These tools seem to run OK, this is my command prompt: (I have edited some
text to protect my company’s identity as required, please excuse this)



C:\MyDriverPkg>inf2cat /driver:C:\MyDriverPkg /os:XP_X86,Vista_X86,7_X86


Signability test complete.

Errors:
None

Warnings:
None

Catalog generation complete.
C:\MyDriverPkg\mydriver.cat



it OK? >

C:\MyDriverPkg>signtool sign /v /s my /t http://timestamp.verisign.com/scrip
ts/timstamp.dll mydriver.cat
The following certificate was selected:
Issued to: My Company
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Sat Sep 17 08:59:59 2011
SHA1 hash: D12F979F349C4ABD73E63B014C689EFF7D43883F

Done Adding Additional Store
Successfully signed and timestamped: mydriver.cat

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0



C:\MyDriverPkg>signtool sign /v /s my /t http://timestamp.verisign.com/scrip
ts/timstamp.dll mydriver.sys

The following certificate was selected:
Issued to: My Company
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Sat Sep 17 08:59:59 2011
SHA1 hash: D12F979F349C4ABD73E63B014C689EFF7D43883F

Done Adding Additional Store
Successfully signed and timestamped: mydriver.sys

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

C:\MyDriverPkg>





C:\MyDriverPkg>signtool verify /pa /v /c mydriver.cat mydriver.sys

Verifying: mydriver.sys
File is signed in catalog: mydriver.cat
Hash of file (sha1): 357539C8F21369BAF2B28A8B3A637684A87C1729

Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: Wed Aug 02 08:59:59 2028
SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2

Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Tue May 21 08:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3

Issued to: My Company
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Sat Sep 17 08:59:59 2011
SHA1 hash: D12F979F349C4ABD73E63B014C689EFF7D43883F

The signature is timestamped: Wed Apr 13 16:18:10 2011
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 08:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: Wed Dec 04 08:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

Issued to: VeriSign Time Stamping Services Signer - G2
Issued by: VeriSign Time Stamping Services CA
Expires: Fri Jun 15 08:59:59 2012
SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

Successfully verified: mydriver.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0



-> When I use my script to install these files on Vista Home Basic 32-bit,
the pre-install works without a problem.
However on XP Professional 32-bit, DPInst fails with the message:

“Invalid signature. Possibly rejected by user. (Error code 0x800B0110: The
certificate is not valid for the requested usage.)”

Here is the full output from DPInst.log:


INFO: 04/13/2011 17:37:33
INFO: Product Version 2.1.0.0.
INFO: Version: 5.1.2600 Service Pack 3
INFO: Platform ID: 2 (NT)
INFO: Service Pack: 3.0
INFO: Suite: 0x0100, Product Type: 1
INFO: Architecture: X86.
INFO: Interactive Windows Station
INFO: Command Line: ‘“C:\Program Files\MyCompany\dpinst.exe” /q /lm’
INFO: DPInst is not multi-lingual.
INFO:
INFO: Current working directory: ‘C:\Program Files\MyCompany’
INFO: Running on path ‘C:\Program Files\MyCompany’
INFO: User UI Language is 0x409.
INFO: Install option set: Running in quiet mode. Suppressing Wizard and OS
popups.
INFO: Install option set: legacy mode on.
INFO: Found driver package: ‘C:\Program Files\MyCompany\mydriver.inf’.
INFO: Preinstalling ‘c:\program files\MyCompany\mydriver.inf’ …
INFO: ENTER: DriverPackagePreinstallW
INFO: Copied ‘mydriver.inf’ to driver store…
INFO: Copied ‘mydriver.cat’ to driver store…
INFO: Commiting queue…
INFO: Copied file: ‘c:\program files\MyCompany\mydriver.sys’ ->
‘C:\WINDOWS\system32\DRVSTORE\mydriv_D531FA477FCDA397330F99BEE84528C407D1B84
D\mydriver.sys’.
ERROR: Invalid signature. Possibly rejected by user. (Error code
0x800B0110: The certificate is not valid for the requested usage.)
INFO: Removed driver package from store.
INFO: RETURN: DriverPackagePreinstallW (0x800B0110)
INFO: Returning with code 0x80010000
INFO: 04/13/2011 17:37:34
INFO: ****************************************

I have read that is not necessary to have signed drivers for XP, so I tried
enabling the legacy mode switch
in DPInst (as above), but it failed with the same error. Besides, I thought
that even if the drivers are signed, they should install
anyway without needing legacy mode, correct?

In the “Driver Signing” options of the Hardware tab in System Properties,
the action to take is
set to “Warn”, although this warning pop-up never appears.

I have checked the similar issue in this post:
http://www.osronline.com/showthread.cfm?link=155831 but it doesn’t offer any
solution.

Does anybody have any ideas on how I might fix this issue? Many thanks for
your help.

Best regards,

Daire


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

xxxxx@gmail.com wrote:

I am using an NSIS script to launch DPInste.exe, and install my usb driver.

I use exactly the same suite.

The script is designed to work for Windows XP, Vista and 7 32-bit versions (using the UAC plug-in to get around UAC install issues). I enable the quietInstall mode for DPInst.

You can do 64-bit in the same files, and you will have to do so if you
plan to go WHQL at some point.

I have created a cat file from my inf using inf2cat (with an Authenticode from Verisign) , and signed the cat and sys files using signtool, as per the KMCS walkthrough.

KMCS only applies to the 64-bit systems. Further, KMCS requires the use
of a “cross-certificate”

These tools seem to run OK, this is my command prompt: (I have edited some text to protect my company’s identity as required, please excuse this)

Why does your company’s identity need to be protected? I don’t
understand this trend when asking questions. I’ve always been proud to
be associated with my employers.


> …
>

It doesn’t hurt anything, but it doesn’t serve any particular purpose.
If you are planning to use this for KMCS, then you will need to specify
the Verisign cross-certificate as well.

>

Are you doing things in this order? When you create the cat file, it
includes a checksum of every file in the driver package. If any of the
files change after that point, the cat file is disabled. Now, I’m told
that the signature part of the sys file is not included in the checksum,
but out of superstition, I always sign the sys file and THEN sign the
cat file.

However, it’s not actually necessary to sign the sys file if the cat
file is properly signed and the installation always uses the cat file.
For my testing, I often just copy the sys file directly into place, and
in that case, the sys file needs to be signed. (For 64-bit systems.)

>
>
> C:\MyDriverPkg>signtool verify /pa /v /c mydriver.cat mydriver.sys

You should use /kp instead of /pa. When you do that, you should find
that the certificate chain is rooted at the “Microsoft Code Verification
Root”. That says you are KMCS-compliant.

> -> When I use my script to install these files on Vista Home Basic 32-bit, the pre-install works without a problem. However on XP Professional 32-bit, DPInst fails with the message:
>
> “Invalid signature. Possibly rejected by user. (Error code 0x800B0110: The certificate is not valid for the requested usage.)”
>
> Here is the full output from DPInst.log:

You will find more information in \windows\setupapi.log on XP. You will
definitely need the /lm or options for DPInst with this.

> I have read that is not necessary to have signed drivers for XP,

Signed drivers are not necessary for any 32-bit system.

> …so I tried enabling the legacy mode switch in DPInst (as above), but it failed with the same error. Besides, I thought that even if the drivers are signed, they should install anyway without needing legacy mode, correct?

I’m not sure about that. It may be that, if the signature is present,
it is authenticated. I’m just guessing, however.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

4

OK, for XP I will use an unsigned version. Thanks for the other tips Tim, I
will use those for the signed version
on Vista / 7.

In all my testing so far using DPInst, with various combinations of silent /
non-silent / signed / legacy switches,
I have never seen the pop-up on XP that usually comes for an unsigned
driver. This ought to happen using DPInst, correct?
As I mentioned before, my system is set to “Warn” for unsigned drivers.

Thanks,

Daire

On Fri, Apr 15, 2011 at 1:56 AM, Tim Roberts wrote:

> xxxxx@gmail.com wrote:
> > I am using an NSIS script to launch DPInste.exe, and install my usb
> driver.
>
> I use exactly the same suite.
>
> > The script is designed to work for Windows XP, Vista and 7 32-bit
> versions (using the UAC plug-in to get around UAC install issues). I enable
> the quietInstall mode for DPInst.
>
> You can do 64-bit in the same files, and you will have to do so if you
> plan to go WHQL at some point.
>
> > I have created a cat file from my inf using inf2cat (with an Authenticode
> from Verisign) , and signed the cat and sys files using signtool, as per the
> KMCS walkthrough.
>
> KMCS only applies to the 64-bit systems. Further, KMCS requires the use
> of a “cross-certificate”
>
> > These tools seem to run OK, this is my command prompt: (I have edited
> some text to protect my company’s identity as required, please excuse this)
>
> Why does your company’s identity need to be protected? I don’t
> understand this trend when asking questions. I’ve always been proud to
> be associated with my employers.
>
> >
> > …
> > > is it OK? >
>
> It doesn’t hurt anything, but it doesn’t serve any particular purpose.
> If you are planning to use this for KMCS, then you will need to specify
> the Verisign cross-certificate as well.
>
> >
>
> Are you doing things in this order? When you create the cat file, it
> includes a checksum of every file in the driver package. If any of the
> files change after that point, the cat file is disabled. Now, I’m told
> that the signature part of the sys file is not included in the checksum,
> but out of superstition, I always sign the sys file and THEN sign the
> cat file.
>
> However, it’s not actually necessary to sign the sys file if the cat
> file is properly signed and the installation always uses the cat file.
> For my testing, I often just copy the sys file directly into place, and
> in that case, the sys file needs to be signed. (For 64-bit systems.)
>
> >
> >
> > C:\MyDriverPkg>signtool verify /pa /v /c mydriver.cat mydriver.sys
>
> You should use /kp instead of /pa. When you do that, you should find
> that the certificate chain is rooted at the “Microsoft Code Verification
> Root”. That says you are KMCS-compliant.
>
> > -> When I use my script to install these files on Vista Home Basic
> 32-bit, the pre-install works without a problem. However on XP Professional
> 32-bit, DPInst fails with the message:
> >
> > “Invalid signature. Possibly rejected by user. (Error code 0x800B0110:
> The certificate is not valid for the requested usage.)”
> >
> > Here is the full output from DPInst.log:
>
> You will find more information in \windows\setupapi.log on XP. You will
> definitely need the /lm or options for DPInst with this.
>
> > I have read that is not necessary to have signed drivers for XP,
>
> Signed drivers are not necessary for any 32-bit system.
>
> > …so I tried enabling the legacy mode switch in DPInst (as above), but
> it failed with the same error. Besides, I thought that even if the drivers
> are signed, they should install anyway without needing legacy mode, correct?
>
> I’m not sure about that. It may be that, if the signature is present,
> it is authenticated. I’m just guessing, however.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>