[How To] Windows Kernel-Mode Code Signing w/Sectigo certificates

May 25, 2018 in Windows and Code Signing

As of August 2013, all valid (non expired, non revoked) Sectigo Code Signing Certificates can be used for Kernel-Mode Code Signing (For Windows Vista and greater)

  • Download the Sectigo cross-signed CA that matches your Code Signing certificate's Root CA.
  • Open an elevated Windows command prompt (cmd) and run signtool.exe:

signtool.exe sign /v /ac 'CROSS_SIGNED_SECTIGO_CA_HERE' /f YOUR_PFX_HERE /tr http://timestamp.sectigo.com/rfc3161 'PATH_TO_FILE_TO_SIGN'

Note: If the file does not contain private keys, use the /csp and /k options to specify the CSP and private key container name, respectively.

Note: For most customers CROSS_SIGNED_SECTIGO_CA_HERE will be:

[KMCS] AddTrust External CA Root OR [KMCS] UTN-USERFirst-Object

For more general information and instruction about kernel mode signing certificates, see Microsoft's Kernel-Mode Code Signing Walkthrough. (MSDN.microsoft.com)