Unable to KMCS

Tibor_Harsszegi · January 12, 2011, 3:28am

Hi,

I am trying to cross-sign first my .CAT file based upon the KMCS walkthrough.
Have imported the .PFX into my personal store (“my”) which I have received
from Verisign. However when doing cross-sign I get this:

C:\WinDDK\7600.16385.1\bin\x86\signtool sign /v /ac MSCV-VSClass3.cer /s my /n COMPANY /t http://timestamp.verisign.com/scripts/timestamp.dll bin/amd64/driver_amd64.cat

The following certificate was selected:
Issued to: COMPANY
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Fri Jan 11 00:59:59 2013
SHA1 hash: 7D3FF4CF0C3ACB45C44A672E653928A542A6BD7E

Cross certificate chain (using user store):
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Thu Jul 17 00:59:59 2036
SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5

Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Sat Feb 08 00:59:59 2020
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: COMPANY
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Fri Jan 11 00:59:59 2013
SHA1 hash: 7D3FF4CF0C3ACB45C44A672E653928A542A6BD7E

Obviously it means that the verisign code signing certificate is NOT in the certificate
chain that should be started from the Microsoft root. How can that be?
What am I doing wrong?

Tibor_Harsszegi · January 12, 2011, 3:31am

Eh just that the error message is missing. Sorry

Signtool Error: The provided cross certificate would not be present in the certificate chain.

sarbojit_sarkar · January 12, 2011, 3:53am

Hey, did u download Microsoft certificate from Microsoft store?
Verisign much have given you the link if not please google it.

/sarbojit

On Wed, Jan 12, 2011 at 2:01 PM, wrote:

> Eh just that the error message is missing. Sorry
>
> Signtool Error: The provided cross certificate would not be present in the
> certificate chain.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Tibor_Harsszegi · January 12, 2011, 4:26am

Hi issue is solved, had to do some mumble-jumble in the certificate store (with the help from VeriSign).

Gary_Little-3 · January 12, 2011, 7:39am

“mumble jumble” … yeah it’s always the MJ the bites you in the butt. Of course your MJ most likely is different than my MJ, so just exaclty what MJ flumoxed your frammis?

Gary G. Little

----- Original Message -----
From: “tibor harsszegi”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, January 12, 2011 3:26:30 AM
Subject: RE:[ntdev] Unable to KMCS

Hi issue is solved, had to do some mumble-jumble in the certificate store (with the help from VeriSign).

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · January 13, 2011, 3:55pm

Hi, I have the exact same problem…

How did you solve it?

// Tomas

Peter_Viscarola_OSR · January 13, 2011, 4:41pm

I assume you saw Mr. Schwartz’ posting about newer certs from Verisign?

http://www.osronline.com/showthread.cfm?link=197762

Peter
OSR

OSR_Community_User · January 14, 2011, 2:56am

Yes I saw that post and have installed the intermediate certificates but it seems like there is something wrong with my certificate chain;

The following certificate was selected:
Issued to:
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Fri Nov 11 00:59:59 2011

Cross certificate chain (using user store):
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Thu Jul 17 00:59:59 2036

Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Sat Feb 08 00:59:59 2020

Issued to:
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Fri Nov 11 00:59:59 2011

Signtool Error: The provided cross certificate would not be present in the certificate chain.

// Tomas

OSR_Community_User · January 14, 2011, 3:18am

Solved it by removing the “mumble jumble” as well…

Had an old, expired cross certificate from the MS Website installed - removed this and all other intermediate cross certificates from verisign. I then signed the catalog using just the correct intermediate certificate and it worked

// Tomas