What is the point of having multiple certificates on drivers?

When I examine FESF drivers, I see two certificates, one from Microsoft and the other from OSR.
The Microsoft certificate expires in Jan 2025, while the OSR certificate expires in May 2027.
What would happen come Jan 2025, when the MS certificate expires?
My larger question is about having multiple certificates on a driver; what's the point, if the driver is already signed by Microsoft? Isn't having a Microsoft certificate the ultimate validation from the perspective of Windows?
Thanks.


2024-08-05 12-43-25-593 OsrDs2.sys_Properties

The dialog box itself answers your question: Drivers are signed to unambiguously identify from whom the software originated.

As to what happens to this executable at cert expiration, the answer is: nothing. The cert expiration date is the date after which the cert cannot be used for signing. Executables signed with the cert remain valid, as long as the executable was signed within the cert’s validity period.

1 Like

Thank you for your response.

Would attempting to install a driver with an expired certificate cause problems?

No.

As I wrote above:

1 Like

Many thanks for the information. :+1:

I'd add that the important factor is having a timestamp counter-signature, which is a proof that the driver was signed within the certificate's validity period. If you have that, the driver will be loaded without problems. If you have just the main signature(s) without any timestamping, then the OS will not be able to know when the file was signed and will use the current date. In this case, if the certificate has expired the signature check will fail, and the driver won't be loaded.

2 Likes

Thanks Flint.

I thought that the OS was checking whether the certificate validity period had expired (as of the instance of the check). What you are saying is that the OS is actually checking when the driver was signed, and if it can't find that timestamp, defaults to now.

If you could humor me and verify the following please: If a timestamp was used, and that timestamp was applied during period of certificate validity, a driver's certificate would never expire? That is, the driver would load without the do-you-want-to-load-anyway message even after the certificate expiry date?

Thank you again.

If a timestamp was used, and that timestamp was applied during period of certificate validity, a driver's certificate would never expire?

This is correct. Although a minor correction in terminology: the driver's signature would never expire. The certificate used for signing will still expire at its due time, but the driver will be treated as correctly signed. Basically, that's how tons of outdated hardware and kernel-mode software can still work, even though they have not been updating their drivers for years.

Also, there's a matter of forced blocking of some certificates by Microsoft when they find them to be illegally used. Then even the drivers signed during the validity period will fail to load. But it's more like an exceptional situation.

That is, the driver would load without the do-you-want-to-load-anyway message even after the certificate expiry date?

Correct. Although if that were not the case you would not have a do-you-want-to-load-anyway, you'll just get a brick-wall-hard no. (Well, there are still some situations when a seemingly invalid signature can be accepted anyway, and vice versa, but it's a really huge topic with lots and lots of details and possible scenarios; most of them discussed in details on this forum.)

2 Likes

Can't thank you enough for the information you've provided. Regards.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.