34

I have issued myself a Code Signing certificate from a certificate server. I have also issued myself the root certificate from the same certificate server. The root certificate exists in both the Current User and Local Computer certificate stores within the Trusted Root Certification Authorities folder. I have successfully signed a DLL using the signtool.exe wizard:

"C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\signtool.exe" signwizard <MyDLLName>.dll

However, when I try to verify my DLL, it fails verification with the following error:

"C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\signtool.exe" verify <MyDLLName>.dll
SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
SignTool Error: File not valid: <MyDLLName>.dll

Why is this happening? I thought having the root certificate in the Trusted Root Certification Authorities folder would verify the DLL.

Alexandru
  • 12,264
  • 17
  • 113
  • 208

1 Answers1

69

On your verify command add in the /pa option to tell it to use the Default Authentication Verification Policy instead of the Windows Driver Verification Policy, meaning it will look at your certificate stores instead of the limited set of CAs Microsoft trusts with drivers.

Look here for more options: http://msdn.microsoft.com/en-us/library/8s9b9yaz(v=vs.90).aspx

Kevin Green
  • 1,137
  • 11
  • 21
  • Hi Kevin, I am trying to call a WCF service hosted by self signed SSL certificate, will installing SSL locally with above option work? Can you send the complete command to use. I have both .pfx and .cer files, but ASP.net is unable to trust SSL provider. – Sanjay Zalke Sep 09 '13 at 17:08
  • @SanjayZalke You can just use the windows certificate management tools to install the certificate in the Trusted Root CAs folder of the Local Computer. You can launch it through mmc.exe and adding in the certificate snap-in. – Kevin Green Sep 17 '13 at 19:04
  • 9
    An important note here is that if you're doing this with a KERNEL DRIVER (.sys), this won't work, because kernel drivers must ultimately be trusted by the Microsoft Root Certificate. The verify itself will pass if you add the /pa option mentioned, but the driver will not actually load, it'll still say Unsigned driver error. During bootup the kernel doesn't have access to the full Certificate Store so it can only look at the limited set of CA's Microsoft trusts with drivers. – Syclone0044 Feb 09 '14 at 04:21