Expiration of KMCS Certificates

Expiration of KMCS Certificates

Background

In the past, Customers signing software or drivers that were to be executed in Windows Kernel Mode, could use any GlobalSign Code Signing Certificate along with the Microsoft Cross Certificate linking back to the GlobalSign Root R1.

This Cross Certificate will expire on April 2021 and Microsoft will not be issuing trusted Cross Certificates for this purpose anymore.

 

New Process

Moving forward, Microsoft’s newest process requires registering to the Microsoft Hardware Program. Registration for the Hardware Program is accessible through the Hardware Dev Center.

Please note that Microsoft allows registration only when signing a file provided by Microsoft with an Extended Validation (EV) Certificate. The signed file must be uploaded as part of the registration process. This way that EV Certificate is registered and uniquely linked to the account in the Hardware Dev Center.

Customers are advised to register for the Windows Hardware Program before the expiration of the Kernel Mode Code Signing (KMCS) Cross Certificate and from then on follow the signing process required by Microsoft. A FAQ by Microsoft regarding all those changes can be found here.

 

Impact/ FAQs

  1. I currently use a GlobalSign Code Signing Certificate for Kernel Mode driver signing, how am I affected?

    Effective April 15, 2021 – you will need to follow the new Kernel Mode driver signing process which requires an EV Code Signing Certificate. OV/ Standard Code Signing using the Cross Certificate will no longer be applicable.

     

    Registration for the Microsoft Hardware Program is required, this can be done in the Microsoft Hardware Dev Center. This way you can register your EV Certificate for further use in signing Kernel Mode driver packages. Driver packages signed with the registered EV Certificate can then be submitted using signtool.exe.
  2. I’m currently signing drivers for execution in Kernel Mode with a Code Signing Certificate, what should I do?

    In this case, please contact your account manager or a representative of GlobalSign as you will need to upgrade to an EV Certificate.
  3. How is software signed before the expiration of the Microsoft Cross Certificate affected?

    If Long-Term-Validity for signatures has been enabled, software signed prior to the expiration date of the Cross Certificate (April 2021) is unaffected. This is default with most signing applications.

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Scan your endpoints to locate all of your Certificates.

Log In / Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.