Signing Microsoft Windows 64-bit Kernel-Mode drivers


If your certificate uses SHA-2 or has SHA-2 certificates in its chain of trust and you are using it to sign kernel modules, then you should be aware of KB3033929, an update for Windows 7 distributed through Windows Update. On versions of Windows 7 without this update, the kernel will reject signatures made with certificates that use SHA-2, so they cannot be used to get a kernel module to load.

In order for your driver to install successfully, the following file types in your project must be signed:




1. Download the Comodo cross-signed CA.    

   [KMCS] COMODO RSA Certification Authority


   [KMCS] AddTrust External CA Root

2. Open an elevated Windows command prompt (cmd) and run signtool.exe:


The following syntax signs the file using a certificate stored in a password protected PFX file

Without the timestamp:

> signtool sign /v /ac "CROSS_SIGNED_COMODO_CA_HERE" /f YOUR_PFX_HERE /p Password /n "Company Name" "PATH_TO_FILE_TO_SIGN"
With the timestamp:

> signtool sign /v /ac "CROSS_SIGNED_COMODO_CA_HERE" /f YOUR_PFX_HERE /p Password /n "Company Name" /tr "PATH_TO_FILE_TO_SIGN"

This code will place a signature including the cross signed certificate, that is timestamped in compliance with RFC 3161.


Note: The Company Cert Name should be exactly as is shown in the certificate '"ISSUED TO" field of your own cert


1. You should verify your signature for a driver file using the following command:

> signtool verify /v /kp "PATH_TO_FILE_TO_SIGN"

2. You should verify that a given driver is "signed" by a given catalog file using the following command:

> signtool verify /v /kp /c "C:\" "PATH_TO_FILE_TO_SIGN"

-v is for a verbose output and -kp validates it according to kernel mode driver signing criteria.


3. To reduce boot time, sign all drivers and catalog files


Related Articles and Information:



(4 vote(s))
Not helpful

Comments (0)
Help Desk Software by Kayako
© 2018 Comodo Security Solutions, Inc. All rights reserved.