Set up the signing environment
Before you can sign binaries, you must first install the OEM test certificates. To install the certificates, run InstallOEMCerts.cmd.
Important
Binaries that are not properly signed will not be allowed to run. For example, if a driver is not properly signed it will not load, and the device may not boot.
Important
The EKUs for the OEM test certificates are used to target the final retail certificates, so their creation and proper use is critical to achieving successful retail signing.
Setting up the code signing environment using InstallOEMCerts.cmd
Before signing, run InstallOEMCerts.cmd on each machine that will be used to test sign code. Before running InstallOEMCerts.cmd, ensure that the WPDKCONTENTROOT environment variable is set to the current path of the kit.
Run InstallOEMCerts once to install the appropriate OEM test certificates on the PC that will be used for code signing. These certificates are added to the local certificate store of the PC.
After ensuring that WPDKCONTENTROOT is set to the path of the kit install location, run InstallOEMCerts:
"%WPDKCONTENTROOT%\tools\bin\i386\InstallOEMCerts.cmd"
The following dialog box will be displayed to the user:
.png)
Click Yes to continue.
Output similar to the following should appear.
C:\Program Files (x86)\Windows Kits\10\Tools\bin\i386>installoemcerts.cmd
MY "Personal"
CertUtil: -delstore command completed successfully.
Root "Trusted Root Certification Authorities"
Signature matches Public Key
Certificate "Windows Phone OEM Root 2013 (TEST ONLY)" added to store.
CertUtil: -addstore command completed successfully.
Root "Trusted Root Certification Authorities"
Signature matches Public Key
Certificate "Windows Phone OEM Root 2013 (TEST ONLY)" added to store.
CertUtil: -addstore command completed successfully.
Certificate "Windows Phone OEM Root 2013 (TEST ONLY)" added to store.
CertUtil: -importPFX command completed successfully.
Certificate "Windows Phone Intermediate 2013 (TEST ONLY)" added to store.
CertUtil: -importPFX command completed successfully.
Certificate "Windows Phone Intermediate FFU Cert 2013 (TEST ONLY)" added to store.
CertUtil: -importPFX command completed successfully.
Certificate "Windows Phone OEM Test Platform Key Cert 2013 (TEST ONLY)" added to store.
CertUtil: -importPFX command completed successfully.
Certificate "Windows Phone OEM Test Cert 2013 (TEST ONLY)" added to store.
CertUtil: -importPFX command completed successfully.
Certificate "Windows Phone OEM HAL Extension Test Cert 2013 (TEST ONLY)" added to store.
CertUtil: -importPFX command completed successfully.
Certificate "Windows Phone OEM App Test Cert 2013 (TEST ONLY)" added to store.
CertUtil: -importPFX command completed successfully.
Certificate "Windows Phone OEM PP Test Cert 2013 (TEST ONLY)" added to store.
CertUtil: -importPFX command completed successfully.
Certificate "Windows Phone OEM PPL Test Cert 2013 (TEST ONLY)" added to store.
CertUtil: -importPFX command completed successfully.
MY "Personal"
Deleting Certificate 40: CN=Windows Phone OEM HAL Extension Test Cert 2013 (TEST ONLY), O=Microsoft Partner, OU=Windows Phone, L=Redmond, S=Washington, C=US:ae55c35208026c0ed24b41e2c36db95c5e6635c3
CertUtil: -delstore command completed successfully.
C:\Program Files (x86)\Windows Kits\10\Tools\bin\i386>
You can confirm that the certificates were installed by using the Windows certificate manager program, using this command:
Certmgr.msc
Click Personal and then clickcertificates. You should see the newly added certificates.
.png)
Troubleshooting
WPDKCONTENTROOT not set
If WPDKCONTENTROOT is not set, you will receive this message:
WPDKCONTENTROOT must be set to the root of the kit install.
e.g. C:\Program Files(x86)\Windows Kits\10