Signing Drivers with a Digital Certificate

Computer users without administrator privileges cannot install unsigned drivers! Drivers must be signed by certificates that Windows 7 trusts, while a user account with administrator privileges can install unsigned drivers. In the case of a network environment where ordinary users need to install unsigned drivers or applications, an administrator can authorize such installation using a self-signed digital certificate.

Digital Certificates allow users to identify that the source of the device driver or application is a legitimate publisher. It does not mean that the driver or application is bug free but its source is trustworthy that is, coming from its claimed source and it is intact.

A self-signed certificate will be valid only to your environment and can be created from a certificate authority server running Windows Server and Certificate Services. In order to have a certificate that is recognized by other users outside your organization, it needs to be issued by an external Certificate Authority such as, VeriSign. It is recommended to thoroughly test self-signed drivers in a test environment prior to deployment on production machines.

The steps involved in signing a driver are as follows:

  1. Create a digital certificate from the Certificates console on the Certificate server (CA) or using the MakeCert utility.
  2. From the Certificates console add the certificate to the Trusted Root CA Certification Authorities store
  3. Add the Certificate to the Trusted Publishers store
  4. Create a catalog file for the driver package and sign the catalog file using the Signtool utility
  5. Place the Certificate on client computers – using Group Policy to deploy on multiple machines
  6. Stage the driver package in the protected driver store of client computers

The description above is a brief introduction to the driver signing procedure, detailed explanations about the various steps will follow in future articles.