Does a Windows driver signing certificate exist? Maybe…

If you came here to know about Windows driver signing certificates, then let us tell you that no such thing exists. Now you might be wondering what we’re going to write in this article. Well, we’ve written this article to help you learn about certificates that sign your driver packages. Why the heck did we say that a “Windows driver signing certificate” exists? That’s because these certificates are regarded as “code signing certificates.” Let’s start decrypting what this term means and what it does.

Code Signing Certificates: The Carriers of Trust & Reputation

Let’s say you want to install XYZ software. You go to Google and search for it. Many sites show up, telling you to visit and download XYZ software from some website. Now, isn’t it possible that there’s a scammer behind one of these websites, and he’s luring you to download a malware-infected software instead of the software that you want? Is there any way to know the legitimacy of a software/application before you install it on your computer? Well, there is, and it’s called a “code signing certificate.”

A code signing certificate, as the name suggests, allows programmers and developers to sign their scripts, code, and executable before making them public. This way, signing a software/code provides two things:

• Maintains the integrity of the software/app/code by preventing any alteration by any unauthorized entity.
• Helps users identify the legitimacy of the software/code company/developer by verification of the publisher/developer.

How a Code Signing Certificate (Windows Driver Signing Certificate) Works

If you’re a software developer/publisher and if you want to communicate to your users that you have signed the code, you must submit a request for a code signing certificate to a recognized certificate authority (CA). This ecosystem is regarded as “public key infrastructure” (PKI) or “asymmetric encryption.”

After you submit a request for a code signing certificate to a CA, the certificate authority verifies your identity/legitimacy to make sure that you’re who you’re saying you are. After the completion of this vetting procedure, the CA issues the code signing certificate to you. This certificate may sound like some sort of an award, but it’s nothing like that. It has a bunch of files that are used to encrypt and sign your code.

When your request for the certificate is accepted, two keys are generated. These keys are known as “public key” and “private key.” Both these keys are distinct yet mathematically related. That’s why they’re also known as a “key pair.” The private key, as you can guess by its name, is supposed to be stored securely by you. It’s stored on your machine and isn’t supposed to be submitted to the certificate authority. The public key, which is publicly available, is submitted to the certificate authority, and then your certificate is issued.

If all of this sounded a lot like an SSL/TLS certificate to you, then you’re absolutely spot on. That’s because these certificates also work on PKI, the same way an SSL/TLS certificate does.

When you want to sign your software or code, you must apply the private key to apply the digital signature to your software/code. This does two things. First, it encrypts the code of your software/app so that no one can alter it without your permission. And secondly, it attaches your signature (identity) to the software so that a user can verify it once they download it on their devices. Thus, helping users be sure of the legitimacy of the software or app they’ve downloaded.

The name of the developer/publisher is displayed when your computer asks you for your permission when you try to install it on your device. So, if Microsoft has developed software, its name would be displayed in the pre-installation window. Here’s how it looks:

What Would Happen Without a Code Signing Certificate?

If you release software without signing it using your code signing certificate (Windows driver signing certificate), then Microsoft SmartScreen displays a warning to the user, saying that the software is from an unverified publisher. These pesky warnings are bound to have an impact on user trust levels and bring down your number of downloads. Not only that, but it also becomes easy for fraudsters to release spoofy files in your name and fool users into installing them into their systems. This will surely harm your reputation.

Code Signing Certificate & Windows Drivers

At the end of the day, drivers are also software that we install on our systems. However, drivers are quite more critical as they’re directly connected to various kernel and user-mode functionalities of the computer. An infected driver file could wreak havoc on your computer. That’s why Microsoft has made it mandatory for all developers/publishers to sign driver packages before releasing them. Thus, if you’re going to release a driver package for Windows, you have no option but to sign it using a code signing certificate. Now you might understand why people regard these certificates as “windows driver signing certificates.”

EV Code Signing is a Must for Windows 10

When it comes to code signing certificates, there are two kinds: organization validation (OV) and extended validation (EV) code signing certificates. OV code signing certificates are the usual kind of code signing certificates that are more frequently used. To get an OV code signing certificate, you must undergo a vetting process conducted by your CA.

EV code signing certificates, as the name suggests, are the most advanced certificates. To get an EV code signing certificate, you must undergo a rigorous vetting process. One of the significant differences between an OV and EV code signing certificate is that an EV certificate can only be delivered on a USB hardware token. This token enables two-factor authentication, enhancing its security, making it a better option compared to OV certificates. And that’s why Microsoft has made an EV code signing mandatory for drivers that are made for Windows 10.

For the older Windows versions, EV comes as a better option as the SmartScreen filter instantly trusts codes signed using an EV certificate, thereby showing no warnings whatsoever. For codes signed using OV certificates, warnings might be shown to users if you haven’t established enough reputation in Microsoft’s eyes.

Final Word

We hope all of this helped you to understand code signing certificates (Windows driver signing certificates) better. While you start using them, don’t forget to store them at a secure place. That’s because, remember, a certificate is as secure as its private key.