Self-Signing NDIS Protocol Drivers
for Windows Vista

Background

Windows Vista driver signing requirements are different than previous Windows versions. In some respects the Vista driver signing requirements are more sensible than on earlier Windows versions. In any event, the Vista driver signing requirements must be accommodated.

The most significant Vista driver signing requirement concerns operation on x64-based versions of Windows Vista. Simply put:

x64-based versions of Windows Vista requires that a kernel-mode driver be signed in order for the driver to load.

There are exceptions to this on driver development systems.

Early in the Windows Vista Beta program there was a fair amount of confusion about Vista driver signing practices, and early signing tools simply did not work. However, at the point of Vista RTM the Vista Windows Driver Kit (WDK) driver signing Help topics and tools are actually correct.

 

Signing Requirements for NDIS Protocol Drivers

NDIS protocol drivers, including the PCAUSA NDIS protocol drivers provided with Rawether, fall into this driver-signing "category":

bulletNon-PnP Kernel-Mode Driver That Is not a Boot Driver


In addition, there are no WHQL tests for NDIS protocol drivers. This means that

bulletNDIS protocol drivers for public release can be self-signed by the software publisher.

 

Together this information means:

The minimum requirement for signing a NDIS protocol driver for Vista is to self-sign the driver executable.

 

Some NDIS protocol drivers, such as the PCAUSA NDIS 5 drivers, do not use an INF file for installation. For these drivers all that is necessary is to self-sign the driver executable.

Other NDIS protocol drivers, such as the Microsoft NDISPROT and PCAUSA NDIS 6 drivers, do require an INF file for installation. See the companion article Making and Signing Driver Packages for NDIS Protocol Drivers on Windows Vista for more information on building and signing complete NDIS protocol driver packages.

 

Steps to Self-Sign a NDIS Protocol Driver

Step 1 - Obtain Software Publisher Certificate (SPC)

Names can sometimes be confusing. A "software publisher certificate" is also know as an "Authenticode Code Signing (Class 3) Digital ID" or "Authenticode Certificate. So, a SPC is just another name for a code signing digital ID.

A publisher obtains an Authenticode Code Signing ID from a "Certificate Authority" (CA) such as Verisign. When you get your ID you will have two files:

bullet.PVK - Your private key
bullet.SPC - Your Software Publisher Certificate.

See the MSDN topic "Introduction to Code Signing" on MSDN for more information about this step. When this article was written this topic could be found online at the URL:

Introduction to Code Signing

 

Step 2 - Obtain Cross-Certificate.

In addition to your own code signing ID you will need a cross-certificate (.CER) from Microsoft for the CA that issued your ID. Microsoft can verify the authenticity of your driver signature by using information from your signing ID and the companion cross-certificate.

See this URL for more information about obtaining the needed cross-certificate:

http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx

 

Step 3 - Create Personal Information Exchange (.PFX) File

The Microsoft code signing software does not use your code signing ID and companion cross-certificate directly. Instead, information from these two files must be combined into a "personal information exchange" (.PFX) file.

Convert the SPC file to the personal information exchange (.pfx) file using the pvk2pfx tool . See the WDK Help topic "pvk2pfx Tool". When this article was written this topic could be found online at the URL:

http://msdn2.microsoft.com/en-us/library/aa906332.aspx

 

Step 4 - Add SPC Information to Your Personal Certificate Store

The Microsoft code signing software does not use the information from the .PFX file directly either. Instead, the PFX file is used to add the SPC information to the Personal Certificate Store. To perform this step:

  1. Locate the .pfx file in Windows Explorer and double-click the file to open the Certificate Import wizard.
  2. Follow the procedure in the Certificate Import wizard to import the code-signing certificate into the Personal certificate store.

 

Step 5 - Sign the Driver Binary File

Finally all of the preliminary steps are complete and the driver can be signed.

Sign the driver using the WDK SignTool utility, as described in the WDK Help topic "Release Signing a Driver File".  When this article was written this topic could be found online at the URL:

http://msdn.microsoft.com/en-us/library/dd434711.aspx

Below is the SignTool command line used at PCAUSA to sign the NDIS 5 x64 NDIS protocol driver PcaSp50a64.sys for Windows Vista:

SignTool sign /v /ac C:\PCAUSA\Authenticode\MSCV-VSClass3.cer /s my /n "PRINTING COMMUNICATIONS ASSOC., INC." /t http://timestamp.verisign.com/scripts/timestamp.dll PcaSp50a64.sys

Note: All of the text above must be on one(1) command line...

 

Topic Status
September 14, 2009 Reviewed.
November 22, 2006 Moved from Rawether.net to NDIS.com.
November 15, 2006 Initial release on Rawether.net.

  

PCAUSA Home · Privacy Statement · Products · Ordering · Support · Utilities · Resources
Mailing Lists  · PCAUSA Newsletter · PCAUSA Discussion List
Rawether for Windows, Rawether .NET, WinDis 32 and NDIS Press are trademarks of Printing Communications Assoc., Inc. (PCAUSA)
Microsoft, MS, Windows, Windows Vista, Windows 95, Windows 98, Windows Millennium, Windows 2000, and Win32 are registered trademarks and Visual C++ and Windows NT are trademarks of the Microsoft Corporation.
Copyright © 1996-2010 Printing Communications Assoc., Inc. (PCAUSA)
Last modified: January 17, 2010