How to Perform Kernel Mode Code Signing

Rate this article: 1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 3.00)
Loading...

How to sign code in kernel mode with a kernel code signing certificate

Kernel mode is the most important CPU mode — its where the most critical functions reside. If there’s ever an error or crash in kernel mode, it can be catastrophic. So, it goes without saying that anything written to run in kernel mode needs to be signed — using a process known as kernel mode code signing — so it can be trusted by users.

But signing the drivers and code you create to run in kernel mode isn’t always the most straightforward process. That’s why we’ve created this resource to help aid in this critical process.

Obtaining a Valid Kernel Code Signing Certificate

Before we get to kernel mode code signing, you need to make sure you have a valid code signing certificate from a trusted certificate authority (CA) like Sectigo or DigiCert.

Comodo Secure Logo

Save Up 42% On Comodo Code Signing Certificates

Need kernel mode code signing to assure users and make installation easier? We sell all Comodo code signing certificates at up to 42% off. Compare Code Signing Certificates

The process of obtaining a code signing certificate will require you or your organization to undergo validation. Keep in mind, a digital signature is a powerful trust anchor. And, in kernel mode, mis-issuing a code signing certificate can set into motion a series of events that ends with the four horsemen and the start of the rapture.

Keep in mind, a digital signature is a powerful trust anchor. And, in kernel mode, mis-issuing a code signing certificate can set into motion a series of events that ends with the four horsemen and the start of the rapture.

But after you’ve satisfied validation and the CA has issued your code signing certificate, you can use it for the signing and your code will be trusted.

Signing in Kernel Mode

Once you’ve installed the Code Signing certificate on the requisite server, you’ll need to open the command prompt and run this command:

signtool sign /t TIMESTAMP_SERVER_URL /f "path to .pfx file" 
 /p PASSWORD_OF_PFX "path to driver .cat file"

Do NOT forget to include the timestamp server, or your signatures will expire with your signing certificate and your code will be distrusted.

To find out what timestamp server you need to list, contact the CA that issued your certificate. Oftentimes, CAs have their own timestamp servers, though your CA may also refer you to a third-party server, too.

One more thing: Make sure the machine you’re using to sign is connected to the internet. That should have been implied by the previous statement about timestamping, but you really have to spell it out for people sometimes. Not you, of course. But some people.