Windows Self signed Driver

In particular, microsoft®instituted a device driver certification process for its

Windows®desktop and server operating systems to ensure the drivers is

Functional with their products.

INF (or information) files is scripts which tell the Windows Operating System

How to install and configure peripheral hardware drivers (. SYS,. DLLs and related files).

Once an INF file have been edited, its original digital signature is no longer valid.

Any attempt-to-load a driver package, includes a modified INF file

As a clean install would result in a warning window to appear

This warning isn't fatal to the install, but many customers desire a more professional look and feel to the products

That they is distributing to their customers.

The Windows Hardware certification process provides new "CAT" signature files for the modified device driver

and prevents the warning window from appearing.

With the release of Windows Vista 64-bit Edition and Windows 7 64-bit editions, Microsoft require signed device drivers.

This requirement would carry forward to new operating system releases as well.

A Windows Hardware Certified driver becomes eligible for automatic distribution

Through the Microsoft Windows Update service, allowing Plug and Play driver installation.

Microsoft x64 bit operating systems (Vista and Windows 7) would not allow unsigned drivers to being installed by default.

This technical note would discuss some possible workarounds to allow for driver testing including

Disabling the certification check in Windows and self certifying the driver.

Disabling the OS certification Check

If the F8 key on the keyboard of a PC was held down while the OS was booting up the menu window appears.

The last item on this menu was to disable the driver certification check. Select this option before continuing Windows startup.

This would allow the non-certified drivers to be loaded.

Note:this feature needs to be repeated every time the PC was rebooted but it does allow for developers to test customised Drivers.

Alternative solution–self-signed Driver

As noted above, 32-bit versions Microsoft Windows Vista and 7 allow driver installation of a unsigned driver

Even though a warning is displayed.

At the time of publication of this Application note, a "self-signed" driver is installed on all 32-bit and 64-bit wind OWS versions.

When a self-signed driver is installed, Windows would display a warning indicating

That the source of the signature are unknown and give the option to continue.

It is important to note that although the drivers was not submitted to Microsoft, a current VeriSign Code Signing certific ATE is necessary.

In addition, self-signed drivers is not eligible for distribution through Windows Update which may leads to a non-ideal en D-user experience.

How does I Generate and Install a signed *.inf File for use with Ni-visa and the Driver development Wizard on Windows 8?

Primary Software: Driver Software>>ni-visa
Primary software Version: 5.2
Primary software Fixed Version: N/A
Secondary Software: N/A

problem:
How can I sign the INF file generated by the Driver development Wizard so the it can is installed on a Windows 8 machine?

Solution:
It is possible to use the Driver development Wizard (DDW) to generate INF files

That can is installed onto a machine to bind a given PCI/PXI device to Ni-visa.

After doing so, you can use Ni-visa to access the device.

The DDW generated INF file is not signed.

Windows 8 has made it mandatory for an INF to be signed before it can be installed onto a machine.

There is 4 distinct steps to follow before an INF that's generated by the DDW can be installed onto a Windows 8 machine.

1. Generate a catalog (. cat)from the INF.

This can-be-done by using the Inf2cat tool, which is provided by Microsoft via the Windows Driver Kit (WDK).

This tool was typically installed at: C:\Program Files (x86)\Windows Kits\8.0\bin\x86 .

One of the parameters given to this tool is the list of OS ' s the generated catalog would need to support.

Since earlier versions of this tool don ' t accept the Windows 8 specific values, the WDK V-8.0 (that supports Windows 8) is Required.

Be sure to navigate to the directory containing the Inf2cat tool from the command prompt.

Example SYNTAX:CD C:\Program Files (x86) \ Windows Kits\8.0\bin\x86.

Also, it is recommended to run of the command prompt as an Administrator if possible.

Syntax:Inf2Cat /driver:<path> /os:<os1>[,<os2>]...

<path>: Path to the directory that contains the INF. The INF file must is in a directory (e.g. cannot is a stand-alone file in the C drive).

The INF already has the name of the cat file to generate.

<osn>: The OS to support:e.g, Xp_x86, vista_x64, 7_x86, 8_x64, etc.

For more information on the OS support, see External link:microsoft Dev zone:inf2cat.

Output:if The <path> contains an *.inf file, this command would create a corresponding *.cat file next to it.

2. Obtain or create a certificate that can is used to sign the *.cat.

Ideally, you should contact a Certificate authority (CA) to obtain a Certificate so you can use to sign all your drivers and INF ' s.

A certificate typically have a pair of keys, public and private.

The public key was distributed to clients who need to use the signed Binary/inf.

The private key is a available to the owner of the certificate and was used to sign anything that needs to be signed.

The private key should is protected and not distributed. The public key had enough information to verify the certificate owner.

This process has a few drawbacks:
1. There is an annual fee, needs to being paid to the CA-obtain and use of the certificate from them.
2. If you aren ' t distributing the INF to your customers and only need to use it on your own machine,
This process isn't feasible (unless you are buying the certificate for other reasons).

A workaround if you don't want to buy a certificate from a CA are for your to create a ' personal ' certificate.

This certificate, along with the private key, can is installed on a development machine

Where you'll generate the *.cat file and sign it using this certificate.

Next, take the *.inf file, the signed *.cat file, and a copy of your public key (in the form of a certificate) to the DEPL Oyment Systems,

Where you'll first install the public certificate as a ' trusted ' certificate and then install any *.inf file that has a *.cat file signed with that certificate.

These personal certificates (extension. pfx) can be generated using a variety of third party applications

such as Adobe Reader, the Java SDK, and OpenSSL for Linux distributions.

3. Sign the. Cat using the certificate.

Once The *.cat file is generated and the private certificate are installed on a development machine,

The *.cat file can be signed using the certificate.

Microsoft provides a tool to sign the INF ' s, called SignTool.

This tool should is available with the WDK.

It is located in the same folder as the Inf2cat Tool:c:\program Files (x86) \ Windows Kits\8.0\bin\x86.

Please note that the WDK may require a certain version of Visual Studio to use the SignTool.

This requirement is listed on the WDK download page.

This tool was also available from the Windows Platform SDK.

After installing the Windows 7 SDK, the tool is located at:C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin.

To use SignTool, makeSure to navigate to the directory containing the SignTool from the command prompt.

Example SYNTAX:CD C:\Program Files (x86) \ Windows Kits\8.0\bin\x86.

Syntax: SignTool sign [options] <filename (s) >

Examples:
1. If The Private/public key pair is in a file (in. pfx format):
signtool sign /f C:\mycertificate.pfx /p mypfxpassword c:\mycatfile.cat
    2. If The key is installed on the dev machine:
signtool sign /n mycertificatename C:\mycatfile.cat

4. Install the public certificate onto the target Windows 8 machine before installing the INF.

Once The *.cat file is signed with the private key, the *.inf file, the signed *.cat file and the public certificate can b e distributed together.

To install the *.inf file onto, the public certificate first needs to be installed.

If The certificate is obtained from a CA, it already have a trusted chain of certificates to a ' trusted Root Ca '.

Otherwise, if it is a personal certificate, it needs to be installed as a ' Trusted Root '.

To install, right click on the public certificate (*.cer created by third party application) and choose Install Certifica Te.

In the dialog-shows up, select Local machine and press Next.

In the following dialog, choose Place all certificates in the following store, press the Browse button

and choose Trusted Root certification Authorities from the list.

Press OK to go back to the Import Wizard and press Next.

Press Finish.

Press OK when prompted with the confirmation dialog.

Note:to view the certificates installed on the system:
A. Run mmc command to launch the Microsoft Management Console
B. From the menu, choose file»add/remove snap-in ...
C. In the dialog, Click on certificates and press the Add button in the middle of the dialog.
D. In the dialog-shows up, choose the computer account radio button and press Next and finish .
E. Press OK.

In the MMC, now can see the certificates installed for the current user.

The certificate that is imported needs to be under Trusted Root certification authorities.

If It isn't, you can right-click on the certificates (current User) and then choose to Find certificates ....

Once It is found, you can copy (or cut) and paste it under the Trusted Root certification authorities.

How does I create a self-signed certificate for code signing on Windows?

While you can create a self-signed code-signing (SPC) certificate on one go, I prefer to do the following:

Creating a self-signed Certificate authority (CA)

" cn=my CA " -ss ca-sr CurrentUser ^-a         sha256-cy Authority-sky signature-sv myca.pvk myca.cer

(^ = allow batch command-line to wrap line)

This creates a self-signed (-R) certificate with a exportable private key (-PE). It's named "My CA",

And should is put in the CA store for the current user.

We ' re using the SHA256 algorithm. The key is meant for signing (-sky).

The private key should is stored in the myca.pvk file, and the certificate in the Myca.cer file.

Importing the CA Certificate

Because There's no point in have a CA certificate if you don ' t trust it,

You'll need to import it into the Windows certificate store.

You can use the Certificates MMC Snapin, but from the command line:

Certutil-user-addstore Root Myca.cer

Creating a code-signing (SPC) Certificate

" cn=my SPC " -a sha256-cy end ^         -sky signature ^         -ic myca.cer-iv myca.pvk ^         -sv myspc.pvk Myspc.cer

Pretty much the same as above, but we ' re providing a issuer key and certificate (the-ic AND-IV switches).

We ' ll also want to convert the certificate and key into a PFX file:

PVK2PFX-PVK MYSPC.PVK-SPC myspc.cer-pfx myspc.pfx

If you want to protect the PFX file, add The-po switch, otherwise pvk2pfx creates a PFX file with no passphrase.

Using the certificate for signing code

SignTool sign/v/F myspc.pfx MyExecutable.exe

If you import the PFX file to the certificate store (you can use PVKIMPRT or the MMC snapin), you can sign code as Follo Ws:

" Me " /S SPC/D http:///www.me.me ^/              t http://Timestamp.url MyExecutable.exe 

Some possible timestamp URLs for is signtool /t :

• http://timestamp.verisign.com/scripts/timstamp.dll
• http://timestamp.globalsign.com/scripts/timstamp.dll
• http://timestamp.comodoca.com/authenticode

Full Microsoft Documentation

• Signtool:http://msdn.microsoft.com/en-us/library/8s9b9yaz.aspx
• Makecert:http://msdn.microsoft.com/en-us/library/bfsktky3.aspx
• pvk2pfx:http://msdn.microsoft.com/en-us/library/windows/hardware/ff550672 (v=vs.85). aspx

How to sign a Unsigned Driver for Windows 7 x64

4 steps to create free SSL certificate for development

Introduction and Goal

Step 1:-Locate Makecert.exe

Step 2:-Create the certificate

Step 3:-Assign the certificate to the site

Step 4:-Test the site

Step 5:-Find a nice restaurant

SSL Diagnostic Tool

LIBUSBK, Dpscat.exe

Creates self-signed. cat files from. inf files.

By default, Dpscat.exe searches the working directory for all files matching the FileSpec *.inf.

USAGE: dpscat.exe [/path PATH]

/path path-specifies an alternate. inf file search directory.

Windows Self signed Driver