On August 1, 2019, Microsoft announced the Microsoft Trusted Root Program is ending support for cross-signed root certificates with kernel-mode signing capabilities. In 2021, most of the cross-signed certificates expire.
When the cross-signed certificate that your code signing certificate is chained to expires, you will no longer be able to create new kernel-mode digital signatures. This affects all version of Windows. To learn more about Microsoft's deprecation plans for kernel-mode digital signatures, see Deprecation of Software Publisher Certificates, Commercial Release Certificates, and Commercial Test Certificates.
Note: All existing cross-signed root certificates with kernel-mode signing capabilities continue to work until they expire. See Expiration dates of DigiCert brand trusted cross-signed certificates below.
Starting in 2021, Microsoft will be the sole provider of production kernel-mode code signatures. Microsoft has implemented a new process for signing kernel-mode driver packages. You will need to sign any new kernel-mode driver packages by following Microsoft's updated Hardware Submission instructions. See Partner Center for Windows Hardware.
As a first step in this sunsetting process, DigiCert has removed the Microsoft Kernel-Mode Code platform option from Code Signing certificate request forms: new, reissue, and renew.
This means going forward, you can no longer order, reissue, or renew a code signing certificate for the kernel-mode platform.
You can continue to use your code signing certificate as follows:
If you need to sign new kernel-mode code driver packages after the cross-signed certificate it's chained to expires, you need to follow Microsoft's updated Hardware Submission instructions. See Partner Center for Windows Hardware.
For information about when the DigiCert branded cross-signed certificates expire, see the Expiration dates of DigiCert brand trusted cross-signed certificates section below.
If your certificate chain ends in Microsoft Code Verification Root, your drive package is affected.
To view the cross-signed certificate chain, run signtool verify /v /kp <mydriver.sys>