Get a code signing certificate
Collapse the table of content
Expand the table of content

Get a code signing certificate

Before you can establish a Hardware Dev Center hardware dashboard account, you need to get a code signing certificate to secure your digital information. This certificate is the accepted standard for establishing your company’s ownership of the code you submit. It allows you to digitally sign PE binaries, such as .exe, .cab, .dll, .ocx, .msi, .xpi and .xap files.

Step 1: Determine which type of code signing certificate you need

  • Microsoft accepts standard code signing and extended validation (EV) code signing certificates from partners enrolled and authorized for Kernel Mode Code Signing as part of the Microsoft Trusted Root Certificate Program. Please see http://aka.ms/rootcert for more information. If you already have an approved standard or EV certificate from one of these authorities, you can use it to establish a Hardware Dev Center hardware dashboard account. If you don’t have a certificate, you’ll need to buy a new one.

  • The table below provides the details of the Certificate requirements for each of the dashboard services.

Dashboard service/permissionCode signing certificate requirement

Bug management

Standard or EV

DDC – Driver Distribution Center

Standard or EV

Device Metadata

Standard or EV

Report Data

Standard or EV

Submissions

Standard or EV

WRD – Windows Remote Debugging

Standard or EV

LSA

EV

UEFI

EV

Windows Reference Design

Standard or EV

 

Note   Submissions will enforce the EV-only requirement later this year.
 

Code signing certificates for Hardware Dev Center hardware dashboard

There are two types of code signing certificates available today:

Standard Code Signing

  • Provides standard level of identity validation

  • Requires shorter processing times and lower cost

  • Can be used for all Hardware Dev Center hardware dashboard services except LSA, and UEFI file signing services.

  • In Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), standard code signing cannot be used for kernel-mode drivers. For more info about these changes, see Code Signing FAQ.

Extended Validation (EV) Code Signing

  • Provides the highest level of identity validation

  • Requires longer processing times and higher cost due to an extensive verification process

  • Can be used for all Hardware Dev Center hardware dashboard services, and is required for LSA and UEFI file signing services

  • In Windows 10 for desktop editions, all kernel-mode drivers must be signed by the Hardware Dev Center Dashboard and the Hardware Dev Center Dashboard requires an EV certificate. For more info about these changes, see Code Signing FAQ.

Step 2: Buy a new code signing certificate

If you don’t have an approved standard or EV code signing certificate, you can buy one from one of the certificate authorities below.

Standard code signing certificates

Extended validation code signing certificates (required for UEFI, kernel-mode drivers, and LSA certifications)

Step 3: Retrieve code signing certificates

Once the certificate authority has verified your contact information and your certificate purchase is approved, follow their directions to retrieve the certificate.

Note  

You must use the same computer and browser to retrieve your certificate.

 

Next steps

  • If you’re setting up a new Hardware Dev Center hardware dashboard account, follow the steps in Establish a new company.

  • If you’ve already set up a Hardware Dev Center hardware dashboard account and need to renew a certificate, follow the steps in Update a code signing certificate.

Code Signing FAQ

This section provides answers to frequently asked questions about code signing for Windows 10. Additional code signing information is available on the Windows Hardware Certification blog.

HLK Tested and Dashboard Signed Drivers

  • A dashboard signed driver that has passed the HLK tests will work on Windows Vista through Windows 10, including Windows Server editions. This is the recommended method for driver signing, because it allows a single process for all OS versions. In addition, HLK tested drivers demonstrate that a manufacturer has rigorously tested their hardware to meet all of Microsoft's requirements with regards to reliability, security, power efficiency, serviceability, and performance, so as to provide a great Windows experience. This includes compliance with industry standards and adherence with Microsoft specifications for technology-specific features, helping to ensure correct installation, deployment, connectivity and interoperability. For more information about the HLK, see Windows Hardware Compatibility Program.

Windows 10 Desktop Attestation Signing

  • A dashboard signed driver using attestation signing will only work on Windows 10 Desktop and later versions of Windows.
  • An attestation signed driver will only work for Windows 10 Desktop; it will not work for other versions of Windows, such as Windows Server 2016, Windows 8.1, or Windows 7.
  • Attestation signing supports Windows 10 Desktop kernel mode and user mode drivers. Although user mode drivers do not need to be signed by Microsoft for Windows 10, the same attestation process can be used for both user and kernel mode drivers.

Windows 10 Earlier Certificate Transition Signing

  • A driver signed with any certificate issued after July 29th, 2015, with time stamping, is not recommended for Windows 10.
  • A driver signed with any certificate that expires after July 29th, 2015, without time stamping, will work on Windows 10 until the certificate expires.

Cross-Signing and SHA-256 Certificates

Cross-signing describes a process where a driver is signed with a certificate issued by a Certificate Authority (CA) that is trusted by Microsoft. For more information, see Cross-Certificates Overview.

  • Windows 8 and later versions support SHA-256.
  • Windows 7, if patched, supports SHA-256. If you need to support unpatched devices that run Windows 7, you need to either cross-sign with a SHA-1 certificate or submit to the Dashboard for signing. Otherwise, you can either cross-sign with SHA-1 or SHA-2 certificate or create an HLK/HCK submission for signing.
  • Because Windows Vista doesn’t support SHA-256, you need to either cross-sign with a SHA-1 certificate or create an HLK/HCK submission for Windows Vista driver signing.
  • A driver cross-signed with a SHA-256 certificate (including an EV certificate) issued prior to July 29th, 2015 will work on Windows 8 and later. It will not work on Windows Vista or Windows Server 2008.
  • A driver cross-signed with a SHA-256 certificate (including an EV certificate) issued prior to July 29th, 2015 will work on Windows 7 or Server 2008R2 if the patch issued through Windows Update earlier this year has been applied. For more information, see Availability of SHA-2 Hashing Algorithm for Windows 7 and Windows Server 2008 R2 and Microsoft security advisory: Availability of SHA-2 code signing support for Windows 7 and Windows Server 2008 R2: March 10, 2015.
  • A cross-signed driver using a SHA-1 certificate issued prior to July 29th, 2015 will work on all platforms starting with Windows Vista through Windows 10.
  • A cross-signed driver using a SHA-1 or SHA-256 certificate issued after July 29th, 2015 is not recommended for Windows 10.
  • For more information about the effort to move to SHA-256 Certificates, see Windows Enforcement of Authenticode Code Signing and Timestamping

Device Guard

  • Enterprises may implement a device guard policy to modify the driver signing requirements using Windows 10 Enterprise edition. Device Guard provides an enterprise-defined code integrity policy, which may be configured to require at least an attestation-signed driver. For more information about Device Guard, see Device Guard certification and compliance.

Windows Server

  • The dashboard will not accept attested device and filter driver signing submissions for Windows Server 2016.
  • The dashboard will only sign device and filter drivers that have successfully passed the HLK tests.
  • Windows Server 2016 will only load dashboard signed drivers that have successfully passed the HLK tests.

EV Certs

  • As of October 31, 2015, your Sysdev dashboard account must have at least one EV certificate associated with it to submit binaries for attestation signing or to submit binaries for HLK certification.
  • You can sign with either your EV certificate or your existing standard certificates until May 1, 2016. After May 1, 2016, you need to use an EV certificate to sign the cab file that is submitted.
  • The submitted binaries themselves do not need to be signed. Only the submission cab file needs to be signed with an EV certificate.

OS Support Summary

This table summarizes the driver signing requirements for Windows.

Attestation Dashboard SignedHLK Test Passed Dashboard SignedCross-signed using a SHA-1 certificate issued prior to July 29, 2015
Windows VistaNoYesYes
Windows 7NoYesYes
Windows 8 / 8.1NoYesYes
Windows 10YesYesYes
Windows 10 - DG Enabled*Configuration Dependent*Configuration Dependent*Configuration Dependent
Windows Server 2008 R2NoYesYes
Windows Server 2012 R2NoYesYes
Windows Server 2016NoYesYes
Windows Server 2016 – DG Enabled*Configuration Dependent*Configuration Dependent*Configuration Dependent
Windows IoT EnterpriseYesYesYes
Windows IoT Enterprise- DG Enabled*Configuration Dependent *Configuration Dependent*Configuration Dependent
Windows IoT Core(1)Yes (Not Required) Yes (Not Required) Yes (Cross signing will also work for certificates issued after July 29, 2015)

 

*Configuration Dependent –With Windows 10 Enterprise edition, organizations can use Device Guard to define custom driver signing requirements. For more information about Device Guard, see Device Guard certification and compliance.

(1) Driver signing is required for manufacturers building retail products (i.e. for a non-development purpose) with IoT Core. For a list of approved Certificate Authorities (CAs), see Cross-Certificates for Kernel Mode Code Signing. Note that if UEFI Secure Boot is enabled, then drivers must be signed.

 

 

Send comments about this topic to Microsoft

Show:
© 2016 Microsoft