Updated Microsoft Cross-certificates for Verisign ?

NTFSD
1

On Oct 11th Verisign upgraded their CA which is used to issue code
signing certificates to 2048-bit.
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD220&actp=LIST&viewlocale=en_US

All code signing certs issued after this date are now signed by the new CA

VeriSign Class 3 Public Primary Certification Authority - G5

SHA1 Thumbprint:
‎4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5

The Microsoft web site for Cross-certificates

https://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx

does not have any information about CAs issued in the last two years.
On November 11th my previous code signing certificate expired and I am
no longer able to sign 64-bit file system drivers as required for execution.

Does anyone know who to contact within Microsoft to obtain the matching
Cross-certificate?

Thank you.

Jeffrey Altman

2

What was Verisign’s reply? Did you use their support line to report the problem?

Gary G. Little

----- Original Message -----
From: “Jeffrey Altman”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, November 16, 2010 1:35:35 PM
Subject: [ntfsd] Updated Microsoft Cross-certificates for Verisign ?

On Oct 11th Verisign upgraded their CA which is used to issue code
signing certificates to 2048-bit.
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD220&actp=LIST&viewlocale=en_US

All code signing certs issued after this date are now signed by the new CA

VeriSign Class 3 Public Primary Certification Authority - G5

SHA1 Thumbprint:
‎4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5

The Microsoft web site for Cross-certificates

https://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx

does not have any information about CAs issued in the last two years.
On November 11th my previous code signing certificate expired and I am
no longer able to sign 64-bit file system drivers as required for execution.

Does anyone know who to contact within Microsoft to obtain the matching
Cross-certificate?

Thank you.

Jeffrey Altman


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

3

I went through this last week having just got a
new Verisign certificate that was produced off the new root.

It took me a day or so to figure out the Verisign
support site before finding what I needed. Like
you, I thought I needed a new cross certificate,
but you don’t. What you need are two Verisign
intermediate certificates that link the old root
to the new root. Once they’re imported in to the
certificate manager the old Microsoft cross
certificate works again with signtool.

You can pick up the intermediate certificates
from here -
http:http://www.verisign.com/support/verisign-intermediate-ca/code-signing-intermediate/index.html

Paste each one in to a .CER file and import using Explorer.

To answer Gary Little’s question, I did raise a
support query with Verisign about this before I
found what I needed. Verisign confirmed this was
the right thing. When I hinted that the
information was difficult to find, the support
chap said he was the one tasked to write a new support article for it.

One would have hoped they might have had the
support article ready before the changeover
rather than leaving customers in the lurch … ho hum.

Mark.

At 19:35 16/11/2010, Jeffrey Altman wrote:
>On Oct 11th Verisign upgraded their CA which is used to issue code
>signing certificates to 2048-bit.
>
>https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD220&actp=LIST&viewlocale=en_US
>
>All code signing certs issued after this date are now signed by the new CA
>
> VeriSign Class 3 Public Primary Certification Authority - G5
>
> SHA1 Thumbprint:
> ‎4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5
>
>The Microsoft web site for Cross-certificates
>
> https://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx
>
>does not have any information about CAs issued in the last two years.
>On November 11th my previous code signing certificate expired and I am
>no longer able to sign 64-bit file system drivers as required for execution.
>
>Does anyone know who to contact within Microsoft to obtain the matching
>Cross-certificate?
>
>Thank you.
>
>Jeffrey Altman
></http:>

4

I think that’s called “debug by irritating the customer”.

Gary G. Little

----- Original Message -----
From: “Mark S. Edwards”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, November 16, 2010 2:25:39 PM
Subject: Re: [ntfsd] Updated Microsoft Cross-certificates for Verisign ?

I went through this last week having just got a new Verisign certificate that was produced off the new root.

It took me a day or so to figure out the Verisign support site before finding what I needed. Like you, I thought I needed a new cross certificate, but you don’t. What you need are two Verisign intermediate certificates that link the old root to the new root. Once they’re imported in to the certificate manager the old Microsoft cross certificate works again with signtool.

You can pick up the intermediate certificates from here - http://www.verisign.com/support/verisign-intermediate-ca/code-signing-intermediate/index.html

Paste each one in to a .CER file and import using Explorer.

To answer Gary Little’s question, I did raise a support query with Verisign about this before I found what I needed. Verisign confirmed this was the right thing. When I hinted that the information was difficult to find, the support chap said he was the one tasked to write a new support article for it.

One would have hoped they might have had the support article ready before the changeover rather than leaving customers in the lurch … ho hum.

Mark.

At 19:35 16/11/2010, Jeffrey Altman wrote:

On Oct 11th Verisign upgraded their CA which is used to issue code
signing certificates to 2048-bit.
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&amp;id=AD220&amp;actp=LIST&amp;viewlocale=en_US

All code signing certs issued after this date are now signed by the new CA

VeriSign Class 3 Public Primary Certification Authority - G5

SHA1 Thumbprint:
������4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5

The Microsoft web site for Cross-certificates

https://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx

does not have any information about CAs issued in the last two years.
On November 11th my previous code signing certificate expired and I am
no longer able to sign 64-bit file system drivers as required for execution.

Does anyone know who to contact within Microsoft to obtain the matching
Cross-certificate?

Thank you.

Jeffrey Altman


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

5

On 11/16/2010 3:25 PM, Mark S. Edwards wrote:

I went through this last week having just got a new Verisign
certificate that was produced off the new root.

It took me a day or so to figure out the Verisign support site before
finding what I needed. Like you, I thought I needed a new cross
certificate, but you don’t. What you need are two Verisign
intermediate certificates that link the old root to the new root.
Once they’re imported in to the certificate manager the old Microsoft
cross certificate works again with signtool.

You can pick up the intermediate certificates from here -
http://www.verisign.com/support/verisign-intermediate-ca/code-signing-intermediate/index.html

Paste each one in to a .CER file and import using Explorer.

To answer Gary Little’s question, I did raise a support query with
Verisign about this before I found what I needed. Verisign confirmed
this was the right thing. When I hinted that the information was
difficult to find, the support chap said he was the one tasked to
write a new support article for it.

One would have hoped they might have had the support article ready
before the changeover rather than leaving customers in the lurch …
ho hum.

Mark.

Mark:

Thank you for this. It was far from obvious.

In any case, I believe that Microsoft should issue a new
cross-certificate for the new CA. Devs should not require jumping
through hoops to this stuff work.

Jeffrey Altman

6

I’d recommend everyone who has to sign drivers bookmarks this thread. Although my driver work (thankfully) doesn’t bring me into contact with PKIX there I know from other work that CAs will change intermediate certificates and certificate routing at the drop of a hat - they view this as a marketing excercise, not a technical one.

Hence if any software you use has requirements on knowing intermediate certificates you need to keep on top of this. Further if you care about security of the signing process (and this appears to be MS’s job, not yours) you need to do due diligence on the new certs to make sure that they have not been compromised or created by buggy versions of openSSL…

FWIW

7

On 11/16/2010 4:50 PM, Jeffrey Altman wrote:

type=“cite”>

On 11/16/2010 3:25 PM, Mark S. Edwards wrote:

I went through this last week having just got a new Verisign
certificate that was produced off the new root.

It took me a day or so to figure out the Verisign support site before
finding what I needed. Like you, I thought I needed a new cross
certificate, but you don’t. What you need are two Verisign
intermediate certificates that link the old root to the new root.
Once they’re imported in to the certificate manager the old Microsoft
cross certificate works again with signtool.

You can pick up the intermediate certificates from here -
http://www.verisign.com/support/verisign-intermediate-ca/code-signing-intermediate/index.html

Paste each one in to a .CER file and import using Explorer.

To answer Gary Little’s question, I did raise a support query with
Verisign about this before I found what I needed. Verisign confirmed
this was the right thing. When I hinted that the information was
difficult to find, the support chap said he was the one tasked to
write a new support article for it.

One would have hoped they might have had the support article ready
before the changeover rather than leaving customers in the lurch …
ho hum.

Mark.


Mark:

Thank you for this. It was far from obvious.

In any case, I believe that Microsoft should issue a new
cross-certificate for the new CA. Devs should not require jumping
through hoops to this stuff work.

Jeffrey Altman

Coming back to this thread.  I thought the process worked because
signtool /Kp indicated that the driver was successfully signed. 
Unfortunately, it actually isn’t. 

Here is the old signing chain:

SHA1 hash of file: 1CBC97A8BEA16D860B27590E91833B71FA4084F6

Signing Certificate Chain:

    Issued to: Microsoft Code Verification Root

    Issued by: Microsoft Code Verification Root

    Expires:   11/1/2025 8:54:03 AM

    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

        Issued to: Class 3 Public Primary Certification Authority

        Issued by: Microsoft Code Verification Root

        Expires:   5/23/2016 12:11:29 PM

        SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408

            Issued to: VeriSign Class 3 Code Signing 2009-2 CA

            Issued by: Class 3 Public Primary Certification
Authority

            Expires:   5/20/2019 6:59:59 PM

            SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3

                Issued to: Secure Endpoints Inc.

                Issued by: VeriSign Class 3 Code Signing 2009-2 CA

                Expires:   11/17/2010 6:59:59 PM

                SHA1 hash: 951F25B0C442A0116C1023DDEF46A60B05833270

and here is the new one:

SHA1 hash of file: 31B4E25BBB3184AFD61234C460F629F2508A6EF8

Signing Certificate Chain:

    Issued to: VeriSign Class 3 Public Primary Certification
Authority - G5

    Issued by: VeriSign Class 3 Public Primary Certification
Authority - G5

    Expires:   7/16/2036 6:59:59 PM

    SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5

        Issued to: VeriSign Class 3 Code Signing 2010 CA

        Issued by: VeriSign Class 3 Public Primary Certification
Authority - G5

        Expires:   2/7/2020 6:59:59 PM

        SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

            Issued to: Secure Endpoints Inc.

            Issued by: VeriSign Class 3 Code Signing 2010 CA

            Expires:   11/17/2011 6:59:59 PM

            SHA1 hash: 77707DE11736ECB3CB73F3E75BA0DE8F2E4B494A

Notice the lack of inclusion of the “Microsoft Code Verification
Root”.    This was signed after the following new intermediate
certificates were imported.

Primary:

issuer=

    /C=US

    /O=VeriSign, Inc.

    /OU=Class 3 Public Primary Certification Authority

subject=

    /C=US

    /O=VeriSign, Inc.

    /OU=VeriSign Trust Network

    /OU=(c) 2006 VeriSign, Inc. - For authorized use only

    /CN=VeriSign Class 3 Public Primary Certification Authority - G5

Secondary:

issuer=

    /C=US

    /O=VeriSign, Inc.

    /OU=VeriSign Trust Network

    /OU=(c) 2006 VeriSign, Inc. - For authorized use only

    /CN=VeriSign Class 3 Public Primary Certification Authority - G5

subject=

    /C=US

    /O=VeriSign, Inc.

    /OU=VeriSign Trust Network

    /OU=Terms of use at https://www.verisign.com/rpa (c)10

    /CN=VeriSign Class 3 Code Signing 2010 CA

Mark, can you please post the output of “signtool /Kp /V
” for one of your successfully signed drivers? I am
interested in seeing what the certificate chain looks like. I am
having a hard time understanding how signtool is expected to look
for an intermediate certificate when “VeriSign Class 3 Public
Primary Certification Authority - G5” has a self-signed root
certificate that was installed as part of the certificate chain that
was issued with the code signing certificate.

Thanks again.

Jeffrey Altman


8

As far as I have been able to determine, the cross-signing
certificate will only work if the 7600 WDK signtool.exe is used.

Note the new “Cross Certificate Chain” section in the output from
version 6.1.7600.16385:

Signing Certificate Chain:

   Issued to: VeriSign Class 3 Public Primary Certification
Authority - G5

   Issued by: VeriSign Class 3 Public Primary Certification
Authority - G5

   Expires:  Wed Jul 16 18:59:59 2036

   SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5

       Issued to: VeriSign Class 3 Code Signing 2010 CA

       Issued by: VeriSign Class 3 Public Primary Certification
Authority - G5

       Expires:  Fri Feb 07 18:59:59 2020

       SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

           Issued to: Secure Endpoints Inc.

           Issued by: VeriSign Class 3 Code Signing 2010 CA

           Expires:  Thu Nov 17 18:59:59 2011

           SHA1 hash: 77707DE11736ECB3CB73F3E75BA0DE8F2E4B494A

Cross Certificate Chain:

   Issued to: Microsoft Code Verification Root

   Issued by: Microsoft Code Verification Root

   Expires:  Sat Nov 01 08:54:03 2025

   SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

       Issued to: Class 3 Public Primary Certification Authority

       Issued by: Microsoft Code Verification Root

       Expires:  Mon May 23 12:11:29 2016

       SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408

           Issued to: VeriSign Class 3 Public Primary
Certification Authority - G5

           Issued by: Class 3 Public Primary Certification
Authority

           Expires:  Sun Nov 07 18:59:59 2021

           SHA1 hash: 32F30882622B87CF8856C63DB873DF0853B4DD27

               Issued to: VeriSign Class 3 Code Signing 2010 CA

               Issued by: VeriSign Class 3 Public
Primary Certification Authority - G5

               Expires:  Fri Feb 07 18:59:59 2020

               SHA1 hash:
495847A93187CFB8C71F840CB7B41497AD95C64F

                   Issued to: Secure Endpoints Inc.

                   Issued by: VeriSign Class 3 Code Signing 2010
CA

                   Expires:  Thu Nov 17 18:59:59 2011

                   SHA1 hash:
77707DE11736ECB3CB73F3E75BA0DE8F2E4B494A

Previous versions of signtool will not understand how to make use
of the intermediate certificates between “Class 3 Public Primary
Certificate Authority” and “VeriSign Class 3 Public Primary
Certification Authority - G5”. Another item that also appears to
be required is that the CA Root Certificate for “VeriSign
Class 3 Public Primary Certification Authority - G5” must be
installed in the Intermediate CA certificate store in addition to
the Trusted Root CA store.

VeriSign updated their support web site but have failed to include
these details.  I still think Microsoft should issue a new
cross-signing certificate for the new VeriSign Root CA. Using
these intermediate CA certs is not worth the trouble.

Jeffrey Altman

9

Could this be a reason that a driver signed recently is no longer loading?
I got my certs about a year ago (a two year duration), but suddenly a couple
of customers are saying the driver isn’t loading on Windows 2008 R2 x64.

wrote in message news:xxxxx@ntfsd…
> I’d recommend everyone who has to sign drivers bookmarks this thread.
> Although my driver work (thankfully) doesn’t bring me into contact with
> PKIX there I know from other work that CAs will change intermediate
> certificates and certificate routing at the drop of a hat - they view this
> as a marketing excercise, not a technical one.
>
> Hence if any software you use has requirements on knowing intermediate
> certificates you need to keep on top of this. Further if you care about
> security of the signing process (and this appears to be MS’s job, not
> yours) you need to do due diligence on the new certs to make sure that
> they have not been compromised or created by buggy versions of openSSL…
>
> FWIW
>

10

Neil,

did you timestamp that signature? ( see the -t param of signtool). It might cause headache after signing certificate expiration.

Bronislav Gabrhelik