Driver Lifecycle Fundamentals > Installation and Driver Signing > Driver Signing Requirements for Windows

Microsoft Cross-Certificates for Windows Vista Kernel Mode Code Signing

Updated: June 9, 2006

This information describes how to obtain and use cross-certificates to sign kernel-mode binary files for Microsoft Windows Vista.

*
On This Page
Cross-Certificates OverviewCross-Certificates Overview
Determining which Cross-certificate to UseDetermining which Cross-certificate to Use
Root Authority Cross-Certificate ListRoot Authority Cross-Certificate List
Baltimore CyberTrust RootBaltimore CyberTrust Root
Equifax Secure Certificate AuthorityEquifax Secure Certificate Authority
GTE CyberTrust Global RootGTE CyberTrust Global Root
GlobalSign Root CAGlobalSign Root CA
GeoTrust Global CAGeoTrust Global CA
VeriSign Class 3 Public Primary Certification AuthorityVeriSign Class 3 Public Primary Certification Authority

Cross-Certificates Overview

A cross-certificate is a certificate issued by one Certificate Authority (CA) that signs the public key for the root certificate of another Certificate Authority. Cross-certificates provide a means to create a chain of trust from a single, trusted, root CA to multiple other CAs.

In Windows Vista, cross-certificates:

Allow the operating system kernel to have a single trusted Microsoft root authority.

Extend the chain of trust to multiple commercial CAs that issue Software Publisher Certificates, which are used for code-signing software for distribution, installation, and loading on Windows.

The cross-certificates provided here are used with the Windows Driver Kit (WDK) code-signing tools for properly signing kernel-mode software. Digitally signing kernel-mode software is similar to code-signing any software published for Windows. Cross-certificates are added to the digital signature by the developer or software publisher when signing the kernel-mode software. The cross-certificate itself is added by the code-signing tools to the digital signature of the binary file or catalog.

Notes:

For x64 editions of Windows Vista, all kernel-mode code must be digitally signed.

You do not need to distribute the cross-certificate as a separate file in software distribution packages that contain signed kernel-mode code.

More information:
Digital Signatures for Kernel Modules on Systems Running Windows Vista

Top of pageTop of page

Determining which Cross-certificate to Use

Microsoft has issued one cross-certificate for each public key root certificate for CAs who have agreed to support the use of Software Publisher Certificates for kernel-mode code signing. This correct cross-certificate must be used when digitally signing kernel-mode code.

A CA might have one or more root certificates under which they issue Software Publisher Certificates.

To determine which cross-certificate you need to use for kernel-mode code signing:

1.

In the Microsoft Management Console (MMC), add the Certificates snap-in (certmgr.msc) to view your code-signing certificate.

2.

Locate your signing certificate in the certificate store, and then double-click it.
Your certificate is listed in one of these locations, depending on how the certificate was installed:

The Current User, Personal, Certificates store, or

The Local Machine Certificates store.

3.

In the Certificate dialog box, select the Certification Path property tab, and then select the top-most certificate in the certification path.
This is the CA that is the issuing root authoring for your certificate.

4.

To view the root authority certificate, select View Certificate, and then click the Details property tab.

5.

Find the Issuer Name and Thumbprint for the issuing CA of this certificate, and then locate the corresponding cross-certificate in the "Root Authority Cross Certificate List" on this page.

6.

Download the related cross-certificate from the "Root Authority Cross Certificate List," and use this cross-certificate when digitally signing kernel-mode code.

Top of pageTop of page

Root Authority Cross-Certificate List

Microsoft provides a specific cross-certificate for each Certificate Authority that issues code-signing certificates for code-signing kernel-mode code. This list shows the correct cross-certificate for the root authority that issued your Software Publisher Certificate. Follow the steps above to identify your Certificate Authority, and then download the related cross-certificate.

Top of pageTop of page

Baltimore CyberTrust Root

Issuer identification in Certification properties:
CN = Baltimore CyberTrust Root
OU = CyberTrust
O = Baltimore
C = IE

Valid to: Monday, May 12, 2025 4:59:00 PM

Root certificate thumbprint:
d4 de 20 d0 5e 66 fc 53 fe 1a 50 88 2c 78 db 28 52 ca e4 74

Cross-certificate thumbprint:
06 af 96 ac 6c 4a b4 76 aa e9 15 06 d3 7c 2b 1b 48 88 97 e9

 Download cross-certificate for Baltimore CyberTrust Root
(Certificate file in a 37 KB self-extracting zip file)

Top of pageTop of page

Equifax Secure Certificate Authority

Issuer identification in Certification properties:
OU = Equifax Secure Certificate Authority
O = Equifax
C = US

Valid to: Wednesday, August 22, 2018 9:41:51 AM

Root certificate thumbprint:
d2 32 09 ad 23 d3 14 23 21 74 e4 0d 7f 9d 62 13 97 86 63 3a

Cross-certificate thumbprint:
35 0d 68 90 31 00 98 3f 80 4d b2 65 f9 a5 e2 45 d9 c5 92 28

 Download cross-certificate for Equifax Secure Certificate Authority
(Certificate file in a 37 KB self-extracting zip file)

Top of pageTop of page

GTE CyberTrust Global Root

Issuer identification in Certification properties:
CN = GTE CyberTrust Global Root
OU = GTE CyberTrust Solutions, Inc.
O = GTE Corporation
C = US

Valid to: Monday, August 13, 2018 4:59:00 PM

Root certificate thumbprint:
97 81 79 50 d8 1c 96 70 cc 34 d8 09 cf 79 44 31 36 7e f4 74

Cross-certificate thumbprint:
d5 59 75 25 e4 fb 50 61 93 e0 95 a8 91 ee 88 f6 aa d1 10 f9

 Download cross-certificate for GTE CyberTrust Global Root
(Certificate file in a 37 KB self-extracting zip file)

Top of pageTop of page

GlobalSign Root CA

Issuer identification in Certification properties:
CN = GlobalSign Root CA
OU = Root CA
O = GlobalSign nv-sa
C = BE

Valid to: Tuesday, January 28, 2014 5:00:00 AM

Root certificate thumbprint:
2f 17 3f 7d e9 96 67 af a5 7a f8 0a a2 d1 b1 2f ac 83 03 38

Cross-certificate thumbprint:
3e eb 27 50 a1 99 f5 e7 b6 a8 95 24 30 be 50 62 fe 04 e9 e5

 Download cross-certificate for GlobalSign Root CA
(Certificate file in a 37 KB self-extracting zip file)

Top of pageTop of page

GeoTrust Global CA

Issuer identification in Certification properties:
CN = GeoTrust Global CA
O = GeoTrust Inc.
C = US

Valid to: Friday, May 20, 2022 9:00:00 PM

Root certificate thumbprint:
de 28 f4 a4 ff e5 b9 2f a3 c5 03 d1 a3 49 a7 f9 96 2a 82 12

Cross-certificate thumbprint:
a0 65 5e bd 95 c2 26 f3 e3 bf 06 42 95 cb 5c 94 cb 1d 3b 16

 Download cross-certificate for GeoTrust Global CA
(Certificate file in a 37 KB self-extracting zip file)

Top of pageTop of page

VeriSign Class 3 Public Primary Certification Authority

Issuer identification in Certification properties:
OU = Class 3 Public Primary Certification Authority
O = VeriSign, Inc.
C = US

Valid to: Tuesday, August 01, 2028 4:59:59 PM

Root certificate thumbprint:
74 2c 31 92 e6 07 e4 24 eb 45 49 54 2b e1 bb c5 3e 61 74 e2

Cross-certificate thumbprint:
58 45 53 89 cf 1d 0c d6 a0 8e 3c e2 16 f6 5a df f7 a8 64 08

 Download cross-certificate for VeriSign Class 3 Public Primary Certification Authority
(Certificate file in a 37 KB self-extracting zip file)


Top of pageTop of page