If your certificate uses SHA-2 or has SHA-2 certificates in its chain of trust and you are using it to sign kernel modules, please review this article from Microsoft KB3033929.
An update for Windows 7 distributed through Windows Update. On versions of Windows 7 without this update, the kernel will reject signatures made with certificates that use SHA-2, so they cannot be used to get a kernel module to load.
In order for your driver to install successfully, the following file types in your project must be signed:
Download the Sectigo cross-signed CA.
Open an elevated Windows command prompt (cmd) and run signtool.exe:
The following syntax signs the file using a certificate stored in a password protected PFX file
Without the timestamp:
> signtool sign /v /ac 'CROSS_SIGNED_SECTIGO_CA_HERE' /f YOUR_PFX_HERE /p Password /n 'Company Name' 'PATH_TO_FILE_TO_SIGN'
With the timestamp:
> signtool sign /v /ac 'CROSS_SIGNED_SECTIGO_CA_HERE' /f YOUR_PFX_HERE /p Password /n 'Company Name' /tr http://timestamp.sectigo.com/rfc3161 'PATH_TO_FILE_TO_SIGN'
This code will place a signature including the cross signed certificate, that is timestamped in compliance with RFC 3161.
Note:The Company Cert Name should be exactly as is shown in the certificate ''ISSUED TO' field of your own cert
1. You should verify your signature for a driver file using the following command:
> signtool verify /v /kp 'PATH_TO_FILE_TO_SIGN'
2. You should verify that a given driver is 'signed' by a given catalog file using the following command:
> signtool verify /v /kp /c 'C:\\CatFileName.cat' 'PATH_TO_FILE_TO_SIGN'
"v" is for a verbose output and -kp validates it according to kernel mode driver signing criteria.
3. To reduce boot time, sign all drivers and catalog files.
Related Articles and Information: