Windows Driver Kit: Device Installation
MakeCert Test Certificate
A MakeCert test certificate is an Authenticode digital certificate that is created with the MakeCert tool. A MakeCert test certificate is a self-signed root certificate that can be used to test-sign a driver package’s catalog file or to test-sign a driver file by embedding a signature in the driver file. To create a MakeCert test certificate, use the MakeCert tool as follows:
MakeCert -r -pe -ss TestCertStoreName -n "CN=CertName" CertFileName.cer
Where:
- The -r option specifies that the certificate is self-signed, that is, the certificate is a root certificate.
- The -pe option specifies that the private key that is associated with the certificate can be exported.
- The -ss TestCertStoreName option specifies the name of the certificate store that contains the test certificate.
- The -n "CN=CertName" option specifies a name for the certificate that can be used with the SignTool tool to identify the certificate. It is recommended that you use a certificate name that clearly identifies the certificate as a test certificate, for example, "WDK Driver Testing Cert - for in-house use only." If the certificate name is not supplied, the default name of the certificate is "Joe's Software Emporium."
- CertFilename.cer is the file name that contains a copy of the test certificate. The certificate file is used to add the certificate to the Trusted Root Certification Authorities certificate store and the Trusted Publishers certificate stores.
The certificate store that contains the test certificate is added to the list of certificate stores that Windows manages for the user account on the development computer on which the certificate store was created.
A developer only needs to create one MakeCert test certificate to sign all driver packages on a development computer.
In the following example, the MakeCert command generates a test certificate named "Contoso.com(Test)", installs the test certificate in the PrivateCertStore certificate store, and creates the Testcert.cer file that contains a copy of the test certificate.
MakeCert –r –pe –ss PrivateCertStore –n "CN=Contoso.com(Test)" testcert.cer
For more information about using MakeCert, see the readme file Selfsign_readme.htm and the script file Selfsign_example.cmd, which are located in the bin\SelfSign directory of the Windows Driver Kit (WDK). The script file Selfsign_example.cmd includes a documented example of how to use MakeCert to create a test certificate.
To test-sign a catalog file or embed a signature in a driver file, the MakeCert test certificate can be in the Personal certificate store ("my" store), or some other custom certificate store, of the local computer that signs the software. However, to verify a test signature, the corresponding test certificate must be installed in the Trusted Root Certification Authorities certificate store of the local computer that you use to verify the signature. Use the CertMgr tool, as follows, to install a test certificate in the Trusted Root Certification Authorities certificate store of the local computer that you use to sign drivers:
CertMgr /add CertFileName.cer /s /r localMachine root
Before you can install a driver package that is signed by a MakeCert test certificate, the test certificate must be installed in the Trusted Root Certification Authorities certificate store and the Trusted Publishers certificate store of the test computer. For information about how to install a MakeCert test certificate on a test machine, see Installing a Test Certificate on a Test Computer.