How to install certificate into system store from signed driver ?

We purchased a certificate and did sign our drivers .
And it works on x64 Vista ,
but, since we never used to install from inf file,
in order to install certificate into local store I had to right click on the driver ,
go to digital signatures, view certificate and then install our certificate on the local system.

So, the question is how to install certificate on the system from signed driver?

Thank You,
Igor.

xxxxx@shaw.ca wrote:

We purchased a certificate and did sign our drivers .
And it works on x64 Vista ,
but, since we never used to install from inf file,
in order to install certificate into local store I had to right click on the driver ,
go to digital signatures, view certificate and then install our certificate on the local system.

So, the question is how to install certificate on the system from signed driver?

If you’ve signed your driver with a commercial code signing certificate,
and the MS cross-certificate, then windows already ships with
appropriately trusted root certificates; there should be no need to
install your cert to your local system certificate store. As I
understand it, you’d need to install a cert to the local certificate
store only when signing with a test certificate that you created -Ryan

This is what I thought too. But when eventually I got signing as a part of my build process and I got complete build, and tried to install it on virgin Vista x32(rc2 5744), it gave me a bluescreen,
So I disabled integrity check, then added certificate to a local store , enabled integrity check
and it works.

Igor.

What kind of bluescreen? Because of your driver is essential and couldn’t be loaded or as part of certificate processing?

Seems as crazy question but it resembles famous Vista manifests which cause BSOD at XP (I still can’t believe how MS handles this disaster)

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]


From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@shaw.ca[SMTP:xxxxx@shaw.ca]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, November 02, 2006 9:20 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to install certificate into system store from signed driver ?

This is what I thought too. But when eventually I got signing as a part of my build process and I got complete build, and tried to install it on virgin Vista x32(rc2 5744), it gave me a bluescreen,
So I disabled integrity check, then added certificate to a local store , enabled integrity check
and it works.

Igor.


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Well, I assume it was inaccessible boot device,
our driver is a class storage filter.

I cannot get 100% information cause system restart right away, and if I am debugging it works.
So I assume that our driver has’t been started.

Ryan Kidd wrote:

> If you’ve signed your driver with a commercial code signing certificate,
> and the MS cross-certificate, then windows already ships with
> appropriately trusted root certificates; there should be no need to
> install your cert to your local system certificate store. As I
> understand it, you’d need to install a cert to the local certificate
> store only when signing with a test certificate that you created -Ryan

Someone correct me please if you have other knowledge or experience,
as I’m definitely just getting my feet wet in this whole signing
thing.

What I took from the KMCS walkthrough was that they were having you
pre-install your self-generated test certificate as a “trusted
publisher” so that you would get the same no-prompt .INF installation
experience as if you had already selected the “Always trust software
from blah…” checkbox once before.

But you are not required to have pre-installed your self-generated
test certificate as a “trusted publisher” when performing the
test-signed install. If you have not pre-installed it, you would
simply be expecting to see the “Do you think Your Company writes
crappy drivers?” (and have the “Always trust…” option) when
performing the .INF-based portion of the installation.

Note this is different from the need to add Root Agency to your
trusted root certification authorities. This is required in order to
complete the verification chain of your self-generated test
certificate. Regardless of whether you have pre-installed the test
certificate or whether you’re just expecting to see the “Always
trust…” option dialog.

But all of the above is just in reference to the .INF portion of the
install.

For the purposes of Windows actually loading drivers at boot-time,
having TESTSIGNING mode enabled & having “a signature of any kind”
embedded on the boot-time driver binary itself is all that currently
seems to be required. No verification of your signature is performed
(just a “presence of” test), and neither the addition of Root Agency
nor the installation of your self-generated test certificate is
necessary to allow successful boot-time driver loading when
TESTSIGNING mode is enabled.

Take all of these statements in context of Vista x64 5744.

Alan Adams

Hi All.
This is really strange.
x64 signed driver works just fine with no bsod, flawlessly.
But on x32 system bsod 1-2 time at startup and then everything is fine.
When after installation I reboot and boot up in the debugger and then restart without debugger everything is fine.
Looks like x32 Vista needs 1-2 restarts to recognize that driver has been signed.

Igor.

Alan Adams wrote:

> What I took from the KMCS walkthrough was that they were having you
> pre-install your self-generated test certificate as a “trusted
> publisher” so that you would get the same no-prompt .INF installation
> experience as if you had already selected the “Always trust software
> from blah…” checkbox once before.
>
> But you are not required to have pre-installed your self-generated
> test certificate as a “trusted publisher” when performing the
> test-signed install. If you have not pre-installed it, you would
> simply be expecting to see the “Do you think Your Company writes
> crappy drivers?” (and have the “Always trust…” option) when
> performing the .INF-based portion of the installation.

Okay, I realize now that these statements reflect what was true when
following the KMCS Walkthrough from July 2006 time frame. In that
document the self-generated certificate was issued through “Root
Agency”; a fact on which most of my statements end up hinging upon.

The October 2006 version of the document now recommends and uses the
example of “self-issued” self-generated certificates. (“-r” on the
signtool.exe command line.) Which to my understanding changes things
to where you would have to pre-install your self-generated certificate
because its your own certification root.

So be sure and file away all of these references to “Root Agency” as
pertaining to how the KMCS Walkthrough process used to work, and not
how the October 2006 or later version of it is currently recommending.

My guess would be that they’re wanting to get away from recommending
that you setup “Root Agency” as a trusted root certification authority
on the test machines, which could potentially trust other
self-generated certificates other than the one(s) you intended.

Alan Adams