Signing Drivers with a Digital Certificate
Computer users without administrator privileges cannot install unsigned drivers! Drivers must be signed by certificates that Windows 7 trusts, while a user account with administrator privileges can install unsigned drivers. In the case of a network environment where ordinary users need to install unsigned drivers or applications, an administrator can authorize such installation using a self-signed digital certificate.
Digital Certificates allow users to identify that the source of the device driver or application is a legitimate publisher. It does not mean that the driver or application is bug free but its source is trustworthy that is, coming from its claimed source and it is intact.
A self-signed certificate will be valid only to your environment and can be created from a certificate authority server running Windows Server and Certificate Services. In order to have a certificate that is recognized by other users outside your organization, it needs to be issued by an external Certificate Authority such as, VeriSign. It is recommended to thoroughly test self-signed drivers in a test environment prior to deployment on production machines.
The steps involved in signing a driver are as follows:
- Create a digital certificate from the Certificates console on the Certificate server (CA) or using the MakeCert utility.
- From the Certificates console add the certificate to the Trusted Root CA Certification Authorities store
- Add the Certificate to the Trusted Publishers store
- Create a catalog file for the driver package and sign the catalog file using the Signtool utility
- Place the Certificate on client computers – using Group Policy to deploy on multiple machines
- Stage the driver package in the protected driver store of client computers
The description above is a brief introduction to the driver signing procedure, detailed explanations about the various steps will follow in future articles.