Ask a Question

Advanced Search

Alert ID : AL310320203804

Last Modified : 03/31/2020

Microsoft sunsetting support for cross-signed root certificates with kernel-mode signing capabilities

Description

On August 1, 2019, Microsoft announced the Microsoft Trusted Root Program is ending support for cross-signed root certificates with kernel-mode signing capabilities. In 2021, most of the cross-signed certificates expire. 

 

When the cross-signed certificate that your code signing certificate is chained to expires, you will no longer be able to create new kernel-mode digital signatures. This affects all version of Windows. To learn more about Microsoft's deprecation plans for kernel-mode digital signatures, see Deprecation of Software Publisher Certificates, Commercial Release Certificates, and Commercial Test Certificates.

 

Note: All existing cross-signed root certificates with kernel-mode signing capabilities continue to work until they expire. See Expiration dates of DigiCert brand trusted cross-signed certificates below.

Microsoft's new process for driver submissions

Starting in 2021, Microsoft will be the sole provider of production kernel-mode code signatures. Microsoft has implemented a new process for signing kernel-mode driver packages. You will need to sign any new kernel-mode driver packages by following Microsoft's updated Hardware Submission instructions. See Partner Center for Windows Hardware.

 

What is DigiCert doing about this?

As a first step in this sunsetting process, DigiCert has removed the Microsoft Kernel-Mode Code platform option from Code Signing certificate request forms: new, reissue, and renew.

This means going forward, you can no longer order, reissue, or renew a code signing certificate for the kernel-mode platform.

 

How does this affect my existing kernel-mode code signing certificate?

You can continue to use your code signing certificate as follows:

  • To sign non-driver code until it expires. 
  • To sign kernel-mode driver packages until the cross-signed certificate it's chained to expires.*

If you need to sign new kernel-mode code driver packages after the cross-signed certificate it's chained to expires, you need to follow Microsoft's updated Hardware Submission instructions. See Partner Center for Windows Hardware.

 

*How does this affect my kernel-mode driver package signatures?

  • If you sign and timestamp the kernel-mode code driver package before the cross-signed certificate it's chained to expires, your signature will continue to work after the cross-signed certificate expires!
  • If you only sign the kernel-mode code driver package before the cross-signed certificate it's chained to expires, your signature will become invalid when the cross-signed certificate it's chained to expires.

For information about when the DigiCert branded cross-signed certificates expire, see the Expiration dates of DigiCert brand trusted cross-signed certificates section below.

 

How do I know if my drive packages will be affected by a cross-signed certificate expiring?

If your certificate chain ends in Microsoft Code Verification Root, your drive package is affected.

To view the cross-signed certificate chain, run signtool verify  /v /kp <mydriver.sys>

For example:

 

Expiration dates of DigiCert brand trusted cross-signed root certificates

  • DigiCert Assured ID Root CA -- Expires 4/15/2021
  • DigiCert High Assurance EV Root CA -- Expires 4/15/2021
  • DigiCert Global Root CA -- Expires 4/15/2021
  • GeoTrust Primary Certification Authority -- Expires 2/22/2021
  • GeoTrust Primary Certification Authority - G3 -- Expires 2/22/2021
  • Thawte Primary Root CA -- Expires 2/22/2021
  • Thawte Primary Root CA - G3 -- Expires 2/22/2021
  • VeriSign Class 3 Public Primary Certification Authority - G5 -- Expires 2/22/2021
  • VeriSign Universal Root Certification Authority -- Expires 2/22/2021