Cross-Certificates for Kernel Mode Code Signing

Updated: September 15, 2011

This information describes how to obtain and use cross-certificates for code-signing kernel-mode binary files for Microsoft Windows.

On This Page

  Cross-Certificates Overview
  Selecting the Correct Cross-Certificate
  Cross-Certificate List

Cross-Certificates Overview

A cross-certificate is a digital certificate issued by one Certificate Authority (CA) that is used to sign the public key for the root certificate of another Certificate Authority. Cross-certificates provide a means to create a chain of trust from a single, trusted, root CA to multiple other CAs.

In Windows, cross-certificates:

• Allow the operating system kernel to have a single trusted Microsoft root authority.
• Extend the chain of trust to multiple commercial CAs that issue Software Publisher Certificates (SPCs), which are used for code-signing software for distribution, installation, and loading on Windows.

The cross-certificates that are provided here are used with the Windows Driver Kit (WDK) code-signing tools for properly signing kernel-mode software. Digitally signing kernel-mode software is similar to code-signing any software that is published for Windows. Cross-certificates are added to the digital signature by the developer or software publisher when signing the kernel-mode software. The cross-certificate itself is added by the code-signing tools to the digital signature of the binary file or catalog.

 Top of page

Selecting the Correct Cross-certificate

Microsoft provides a specific cross-certificate for each CA that issues SPCs for code-signing kernel-mode code. The list below has a link to the correct cross-certificate for the root authority that issued your SPC. Follow the steps below to identify your CA, and then download the related cross-certificate.

1. Open the Microsoft Management Console (MMC) and add the Certificates snap-in:
   1. Click the Start button, type “mmc” in the search box, and press return. If a User Account Control dialog box appears, click Yes.
   2. From the MMC File menu, select Add/Remove Snap-in,…
   3. Select the Certificates snap-in and click Add.
   4. Select My user account and click Finish.
   5. Select the Certificates snap-in again and click Add.
   6. Select Computer account and click Next.
   7. Select Local computer and click Finish.
2. Locate your SPC in the certificate store, and then double-click it.
   Your certificate is listed in one of the following two locations, depending on how the certificate was installed:
   • The Current User, Personal, Certificates store, or
   • The Local Computer, Personal, Certificates store.
3. In the Certificate dialog box, click on the Certification Path tab, and then select the top-most certificate in the certification path.
   This is the CA that is the issuing root authority for your SPC.
4. View the root authority certificate by clicking the View Certificate button, and then click the Details tab of the new Certificate dialog box.
5. Find the Issuer and Thumbprint for this certificate. Then locate the corresponding entry for this CA in the list below.
6. Download the related cross-certificate for the CA and use this cross-certificate together with your SPC when digitally signing kernel-mode code.

 Top of page

Cross-Certificate List

The following list contains all of the CAs that are currently supported by Microsoft for issuing SPCs for code-signing kernel-mode code.

Certum Trusted Network CA

Root certificate thumbprint:

55 43 55 15 fd d2 48 65 75 fd c5 cf 3b ad 00 c9 13 12 3d 03

Download cross-certificate for Certum Trusted Network CA
(Certificate file in a 2 KB zip file)

DigiCert Assured ID Root CA

Root certificate thumbprint:

ba 3e a5 4d 72 c1 45 d3 7c 25 5e 1e a4 0a fb c6 33 48 b9 6e

Download cross-certificate for DigiCert Assured ID Root CA
(Certificate file in a 2 KB zip file)

DigiCert Global Root CA

Root certificate thumbprint:

c9 83 39 19 f1 f3 6a 63 48 11 1e 93 02 6f d4 0e b9 6f bc 34

Download cross-certificate for DigiCert Global Root CA
(Certificate file in a 2 KB zip file)

DigiCert High Assurance EV Root CA

Root certificate thumbprint:

2f 25 13 af 39 92 db 0a 3f 79 70 9f f8 14 3b 3f 7b d2 d1 43

Download cross-certificate for DigiCert High Assurance EV Root CA
(Certificate file in a 2 KB zip file)

Entrust.net Certification Authority (2048)

Root certificate thumbprint:

00 a3 e6 00 9e aa 73 9b 3d ee f4 b5 06 64 9d 8a 1a 7a d3 3a

Download cross-certificate for Entrust.net Certification Authority (2048)
(Certificate file in a 2 KB zip file)

GeoTrust Primary Certification Authority

Root certificate thumbprint:

e8 6e 80 82 99 0e 3d fa ed 81 6d 9e b1 72 0f 91 a4 f1 a1 85

Download cross-certificate for GeoTrust Primary Certification Authority
(Certificate file in a 2 KB zip file)

GeoTrust Primary Certification Authority – G3

Root certificate thumbprint:

b2 bb bd fa c8 f1 a8 ad 58 95 cd 49 38 4b 22 ca 19 db 2d 1f

Download cross-certificate for GeoTrust Primary Certification Authority – G3
(Certificate file in a 2 KB zip file)

GlobalSign Root CA

Root certificate thumbprint:

cc 1d ee bf 6d 55 c2 c9 06 1b a1 6f 10 a0 bf a6 97 9a 4a 32

Download cross-certificate for GlobalSign Root CA
(Certificate file in a 2 KB zip file)

Go Daddy Root Certificate Authority – G2

Root certificate thumbprint:

84 2c 5c b3 4b 73 bb c5 ed 85 64 bd ed a7 86 96 7d 7b 42 ef

Download cross-certificate for Go Daddy Root Certificate Authority – G2
(Certificate file in a 2 KB zip file)

NetLock Arany (Class Gold)

Root certificate thumbprint:

89 4f 1d 28 97 aa 4c 07 4d cd 85 c5 fc 09 ee 73 b9 51 04 d8

Download cross-certificate for NetLock Arany (Class Gold)
(Certificate file in a 2 KB zip file)

NetLock Platina (Class Platinum)

Root certificate thumbprint:

97 dd 74 97 16 20 57 29 41 dc 80 0c 2f d8 0a 48 07 7d 10 b0

Download cross-certificate for NetLock Platina (Class Platinum)
(Certificate file in a 2 KB zip file)

Security Communication RootCA1

Root certificate thumbprint:

41 f2 8c e5 6f d8 b9 cb 46 7f b5 03 2a 3c ae 1c dc 9d 86 48

Download cross-certificate for Security Communication RootCA1
(Certificate file in a 2 KB zip file)

Starfield Root Certificate Authority – G2

Root certificate thumbprint:

40 c2 0a 9a 33 fa d0 36 ac bf e8 2d 6c bb ee 1b 42 9b 86 de

Download cross-certificate for Starfield Root Certificate Authority – G2
(Certificate file in a 2 KB zip file)

StartCom Certification Authority

Root certificate thumbprint:

e6 06 9e 04 8d ea 8d 81 7a fc 41 88 b1 be f1 d8 88 d0 af 17

Download cross-certificate for StartCom Certification Authority
(Certificate file in a 2 KB zip file)

TC TrustCenter Class 2 CA II

Root certificate thumbprint:

42 62 ff 7d 89 70 66 aa e7 75 80 d3 3a d2 88 03 f9 a1 1a 62

Download cross-certificate for TC TrustCenter Class 2 CA II
(Certificate file in a 2 KB zip file)

Thawte Primary Root CA

Root certificate thumbprint:

55 38 e9 fe c1 40 30 b7 40 15 23 49 e1 15 a1 16 5d 29 07 4a

Download cross-certificate for Thawte Primary Root CA
(Certificate file in a 2 KB zip file)

Thawte Primary Root CA – G3

Root certificate thumbprint:

ba 57 ca 5e 78 dd 2d 1d 74 76 ae be e9 95 3e 39 6f d0 55 46

Download cross-certificate for Thawte Primary Root CA – G3
(Certificate file in a 2 KB zip file)

VeriSign Class 3 Public Primary Certification Authority – G5

Root certificate thumbprint:

57 53 4c cc 33 91 4c 41 f7 0e 2c bb 21 03 a1 db 18 81 7d 8b

Download cross-certificate for VeriSign Class 3 Public Primary Certification Authority – G5
(Certificate file in a 2 KB zip file)

VeriSign Universal Root Certification Authority

Root certificate thumbprint:

9e d8 cd 56 01 f0 10 56 51 eb bb 3f 57 f0 31 82 e5 fa 7e 01

Download cross-certificate for VeriSign Universal Root Certification Authority
(Certificate file in a 2 KB zip file)

 Top of page