Windows Kernel-Mode Code Signing w/Comodo certificates

As of late August 2013, all valid (not expired, not revoked) Comodo Code Signing Certificates can be used for Kernel-Mode Code Signing!!! (For Windows Vista and greater)

1. Download the Comodo cross-signed CA that matches your Code Signing certificate’s Root CA.
2. Open an elevated Windows command prompt (cmd) and run signtool.exe:

   signtool.exe sign /v /ac “CROSS_SIGNED_COMODO_CA_HERE” /f YOUR_PFX_HERE /tr http://timestamp.comodoca.com/rfc3161 “FULL_PATH_TO_FILE_TO_SIGN”

   Example: signtool.exe /v /ac “AddTrustExternalCARoot_kmod.crt” /f my.pfx /tr http://timestamp.comodoca.com/rfc3161 “C:\myfile.dll”

 

Note: For most customers CROSS_SIGNED_COMODO_CA_HERE will be:

[KMCS] AddTrust External CA Root
OR
[KMCS] UTN-USERFirst-Object.

For more general information and instruction about kernel mode signing certificates, see Microsoft’s Kernel-Mode Code Signing Walkthrough. (MSDN.microsoft.com)