La Advanced management of driver certificates and signatures in Windows It has become a critical issue for system administrators, developers, and advanced users alike. Since Microsoft tightened signing policies in 64-bit Windows, any driver running in kernel mode must be properly signed and, in many cases, also pass through Microsoft's validation systems. Add to this changes such as the mandatory adoption of SHA-2 or attestation signing, and things can easily become complicated without a good overall understanding.
In addition to all this, in real-world environments, one has to deal with Outdated drivers, devices without updated support, cryptographic cards, certificates on smartcardsThird-party tools, remote work, devices without internet access, and even systems still in production running Windows 7 or Windows XP are all factors to consider. In this context, understanding how digital signatures work, what types of certificates are used, how they are managed in the Hardware Panel, and what options are available when something goes wrong is crucial to avoid wasting hours on cryptic errors and compromising system security.
What is driver signing in Windows and why is it so important?
In Windows, a The signed driver incorporates a digital signature associated with the driver package (binaries, INF files, catalogs, etc.). This signature serves two main purposes: verifying that the package has not been modified since the publisher released it (integrity) and confirming the identity of the vendor that signs it (authenticity). On 64-bit systems since Windows Vista, the basic rule is clear: kernel-mode drivers must be signed or they will not load.
When we install a device, the system itself uses digital signatures and certificates To verify that the driver package comes from a trusted publisher and hasn't been corrupted in transit. If something seems amiss (invalid signature, expired certificate, unsupported algorithm, modified catalog, etc.), Windows issues warnings, blocks the installation, or simply prevents the driver from loading at startup.
Furthermore, since the early versions of Windows 10, Microsoft has been requiring drivers to go through its channel. signature through the Hardware Development Center and that SHA-2 algorithms are used. This not only impacts binaries signed by Microsoft, but also how third-party drivers signed with SHA1 or with certificates that are no longer considered secure are accepted or rejected.
Driver signature changes: from SHA1 to SHA2 and compatibility issues
One of the points that has generated the most headaches is the transition of SHA1 to SHA2 in driver signatureStarting with Windows 10 version 1507, all drivers signed by the Hardware Center use SHA-2. Additionally, certain kernel-mode binaries that incorporate dual signatures (SHA1 and SHA-2) from third-party vendors may cause problems on systems prior to Windows 10, or even crashes on Windows 10 and later versions if certain updates are not installed.
Specifically, Microsoft documented cases in which drivers signed and embedded with dual certificates They were not loading correctly or could cause blue screens on systems without critical patches. To avoid this, it was recommended to install updates such as KB 3081436, which also published the SHA hashes of the affected files, allowing verification if the system was using problematic binaries.
This mixed scenario has meant that, when deploying drivers in environments with varying Windows versions, it is essential to review the signing requirements by operating system version and ensure that the combination of hash algorithm, certificate type, and signing method is compatible with each target platform.
Administrator role in the Partner Center and driver certificate management
When we talk about hardware developers and companies that distribute drivers, the role of Partner Center administrator (formerly Hardware Developer Center) This person is key. They are responsible for managing the code signing certificates used to sign drivers and submitting them for Microsoft to sign or validate.
From the Partner Center hardware panel, the administrator can Add, renew, and revoke signature certificatesTo do this, log in, access your account or developer settings, and go to the "Manage certificates" section. From there, you can add new certificates, download the files that need to be signed (such as the classic Signablefile.bin), and upload the signed results again.
The typical process for registering a certificate involves downloading the binary file provided by Microsoft, Sign it with SignTool using /fd sha256 and a suitable SHA-2 timestamp, and upload the resulting file. Windows Hardware Dev Center will validate that the certificate belongs to the company and will associate it with the account for future driver package signing, either through attestation or via standard certification processes.
Obtaining and renewing EV certificates to sign drivers
To sign drivers at a professional level, especially when attestation is required or drivers are to be published through Windows Update, it is essential to have a EV (Extended Validation) code signing certificate Issued by a recognized certification body. These certificates require stricter validation of the organization, but in return offer a higher level of trust.
The usual process begins by determining what type of code signing certificate The type of EV certificate required depends on the driver, the supported Windows versions, and Microsoft's requirements. If you already have a valid certificate and don't want to change providers, you can reuse it. Otherwise, you must acquire a new EV certificate after the company's identity is verified by the CA.
Once the issuance is approved, the certificate provider provides instructions for Retrieve EV certificateThis certificate is often stored on a hardware device (USB token or HSM) or installed in a secure certificate store. This certificate, along with SignTool or equivalent tools, will be used to sign the submission CABs, catalogs, and, in many cases, the driver binaries before submitting them to Microsoft.
Adding, updating, and removing certificates in the Hardware Panel
With the EV certificate operational, the next step is to keep it properly registered in the Partner Center Hardware PanelTo add a new certificate, the administrator logs in, goes to "Account Settings" or "Developer Settings," and then to "Manage Certificates." From there, they can select "Add a new certificate" and follow the wizard.
During the process, the system generates a Signablefile.bin file which must be downloaded and signed with the company's new digital certificate. SignTool is used with the parameter /fd sha256 and a SHA-2 timestamp, thus ensuring that the certificate does not become unusable when its validity expires if temporary validations are needed at any point.
Once that file is signed, return to the Partner Center and upload it from the same section. If everything is correct, The new certificate will be associated with the developer's account., ready to be used in future controller shipments.
When a certificate is no longer needed or is suspected of being compromised, it is possible remove it from the panel itselfSimply locate it in the list and use the "Remove" option in the actions column. This does not automatically revoke all signatures made with it (signatures already issued will remain valid in most cases), but it prevents it from being used again in new submissions or configurations.
Signature by attestation: creation and signing of CAB for controllers
La attestation signature It's a mechanism that allows drivers to be distributed without going through the entire traditional WHQL certification process, while maintaining Microsoft's signature and compliance with kernel loading rules. To do this, a CAB file containing the driver package is prepared and submitted through the Partner Center to be signed by Microsoft.
A typical CAB shipment contains, at a minimum, the driver binary file (e.g., Echo.sys), the corresponding INF (Echo.inf) and PDB symbol files (such as Echo.pdb) are required for Microsoft tools to analyze memory dumps in case of failures. Catalog files (.cat) can also be included for internal company checks, although Microsoft will regenerate its own catalogs during the signing process.
The creation of the CAB is usually done with MakeCab and a DDF file which defines the name of the resulting file, the internal folder organization of the package, and the files to be included. The DDF defines parameters such as the compression type, the output name (for example, Echo.cab), and the destination directory within the CAB (usually a subfolder so that the files are not in the root directory).
Once the DDF is prepared, a command of the following style is executed MakeCab /f Echo.ddfwhich generates the CAB file in a subdirectory (such as Disk1). It's a good idea to review its contents to make sure that both binaries and INF and PDB files They have been correctly included before moving on to the next step: signing with the EV certificate.
EV signature from the CAB and submission via the Partner Center
With the generated CAB, you have to sign it with the EV certificate of the organization. For this, SignTool is used again, pointing to the certificate store where the EV is located and specifying both the hash algorithm (SHA256) and the URL of the timestamping server:
A classic example of a command It would be something like SignTool sign /s MY /n "Nombre de la empresa" /fd sha256 /tr http://... /td sha256 /v Echo.cabThis signature guarantees that the entire package is protected and that its integrity and origin can be verified even before Microsoft processes it.
Next, the signed CAB is uploaded from the Partner Center panelIn the new hardware shipments section, you assign a name to the product, specify the desired signature properties (what types of signatures are wanted for the package, what architectures and systems are supported), and enable or disable test signatures depending on the scenario.
When the shipment is complete and the signing process is finished, the developer can Download the driver already signed by Microsoft from the control panel itself. This package will be installed on users' computers, usually without security warnings, provided the system trusts the involved certification authorities and the chain of trust is properly configured.
Verification of the controller's signature and EKUs
Once the signed driver has been downloaded, it's worth checking that The signatures and certificates have been applied correctlyFor this, the reference tool is once again SignTool, with commands such as SignTool verify Echo.sys to validate the basic signature or additional parameters such as /pa /ph /v /d for more details, including hashes and verification of all existing signatures in the file.
In addition to command-line verification, a manual check of certificates can be performed from the file properties in Windows Explorer. In the “Digital Signatures” tab The applied signatures are listed; by selecting one and entering “Details” → “View certificate” you can access all the relevant information of the chain of trust.
In the certificate details tab, the field Enhanced Key Usage (EKU) This allows you to confirm that the certificate was issued with the appropriate extensions for signing code and drivers. If the EKUs are incorrect, the system may accept the cryptographic signature but still reject the driver upload because the certificate is not authorized for that specific purpose.
Advanced management of the signed controller lifecycle
Microsoft's internal process for signing a submission typically involves several sequential actions. First, it Adds an embedded Microsoft signature based on SHA-2 on the driver binary. If the client has already inserted its own signatures into the binary, these can be overwritten by the Microsoft signature if necessary to ensure compatibility with the loading policies.
Then, the system creates and signs a new catalog file (.cat) with a SHA-2 certificate Microsoft's catalog replaces any catalog originally submitted by the developer. This ensures the integrity of the entire package is controlled by the Microsoft-signed catalog, while individual binaries have signatures that adhere to kernel-mode rules.
Once the driver is installed on Windows (whether using devcon, pnputil, custom installers, or through Windows Update), if the configuration is correct, messages such as "Windows cannot verify the publisher of this driver software" should not appear. These types of warnings usually indicate problems with the certificate chain, incomplete signatures, unregistered catalogs, or incompatibilities with the system's signing policies.
Drivers in Windows 10 and basic driver management
From the perspective of the end user or the support technician, the first tool to check the status of drivers in Windows 10 is the Device administratorHere is the complete list of devices installed on the computer: those that are working correctly appear without warning symbols, while those with problems are marked with yellow or red icons.
The quickest way to open it is to use the Start menu search You can access the Device Manager by typing "Device Manager" or by using the Start menu (Win+X) and selecting the corresponding option. From this console, you can update, disable, uninstall, or inspect the properties of each driver, including its digital signatures.
In an ideal scenario, most devices are covered by generic or specific drivers Windows itself downloads and installs these through Windows Update. However, when the system doesn't recognize a specific piece of hardware, "unknown devices" appear, requiring more manual management by the user or administrator.
Unknown devices and manual location of the appropriate driver
When a unknown device with a warning iconThe most effective way to identify it is usually to check its Hardware ID. From its properties, on the "Details" tab, select "Hardware ID" and copy the strings that begin with PCI, USB, or other prefixes. These strings include the device's manufacturer and model identifier.
With that identifier in hand, you can safely search for the corresponding driver on the manufacturer's official website or, in some cases, in specialized driver databases. Once the package is downloaded, if it's an executable installer, simply follow the wizard; if, however, it arrives as a folder full of INF, SYS, and other files, you'll need to use the option “Search your computer for driver software" indicating the path to that folder."
In many cases, especially with older equipment or unusual hardware combinations, this type of manual search is the only viable way to get the device working normally, always taking care to Download drivers only from trusted sources and not from generic portals that bundle drivers with unwanted software.
Drivers without a recognized signature, special modes, and security options
Windows 10 includes an additional layer of security consisting of require that drivers be signed by Microsoft or trusted vendorsThis makes a lot of sense from a system protection standpoint, but it can become a problem when you need to install legitimate drivers that are not properly signed or do not have a signature recognized by the system.
In previous versions of Windows, you could manually accept the installation of an unsigned driver with a simple "Install anyway," but starting with Windows 10, that option has largely been removed. To install these drivers, you now have to resort to options like... advanced startup with signature verification disabled, the test mode or changes to group policies, depending on the system edition.
The most conservative method involves restarting Windows in a special mode where temporarily disables the requirement for signed controllersThis is done through the system settings (Win+I → Update & Security → Recovery) using "Advanced startup" and, after navigating through several menus ("Troubleshoot" → "Advanced options" → "Startup Settings"), selecting the option that disables mandatory driver signature enforcement. This allows you to install the necessary driver, although the protection will be re-enabled upon the next restart.
Disable driver signing: Group policies, test mode, and BCDEdit commands
In more advanced environments, such as Pro or Enterprise editions of Windows 10/11, there is an option to adjust driver signature behavior using group directives (Gpedit)Navigating through User Configuration → Administrative Templates → System → Driver Installation, you will find the policy “Code signing for device drivers”. Setting it to “Disabled” relaxes the signing requirement, although it should be used with caution and you should be aware of the security impact.
Another possibility is the Test mode (TESTSIGNING)This is designed for developers working with drivers still in the testing phase. Activating this mode with bcdedit /set TESTSIGNING ON (and restarting) allows the loading of drivers signed with test certificates, usually issued by the organization itself. While the system is in this mode, a watermark is displayed on the desktop indicating that it is working in a test environment.
The most drastic option is to completely disable them. controller integrity checks with commands like bcdedit.exe /set nointegritychecks onThis allows the installation and loading of any driver, signed or unsigned, and while it can be useful in very specific situations (for example, maintaining critical hardware without modern support in a completely isolated environment), it poses a considerable security risk. Whenever this method is used, it is recommended to reactivate it with bcdedit.exe /set nointegritychecks off once the necessary drivers are installed.
Dangers of disabling driver signature protections
Relaxing or disabling driver signing policies opens the door to threats that are very difficult to detect and even more difficult to eradicate: rootkits and malware disguised as controllersThese components are loaded with SYSTEM privileges and run at a very low level, being able to monitor traffic, intercept communications, block antivirus and hide from almost any security tool.
Once a fake driver of this type has been successfully installed, the system can be completely compromised without any obvious symptoms. Detection by traditional security solutions is very difficult, as the malware disguises itself as a legitimate driver. In many cases, the only reliable way to recover an infected machine is format and reinstall the system from scratch.
Therefore, any software that insists on permanently disable driver signing Claims that promise to "optimize performance," "activate hidden features," or similar promises should be considered suspicious. It's always preferable to seek alternatives: updated official drivers, signed versions, controlled test modes, or even taking the hardware offline if necessary, rather than leaving the system unprotected.
Windows drivers versus manufacturer drivers: what to use and when
One point that generates quite a bit of confusion is the difference between the generic drivers provided by Microsoft with the system and drivers specific to each manufacturer. The former allow most devices to function "out of the box" when the hardware is connected, but they usually only offer the component's basic functions.
If, for example, it's a multifunction printer, you'll likely be able to print without problems using the Windows drivers, but accessing the scanner, advanced paper handling features, or the manufacturer's diagnostic panels might be difficult. To get the most out of the device, the ideal solution is Install the official drivers and software from the vendor.which usually include valid digital signatures and more configuration options.
When downloading drivers, it's crucial to ensure that the website you're visiting is actually the manufacturer's site and not a third-party portal acting as an intermediary. A simple trick is to carefully check the Domain URL and avoid generic installers that promise to "update all your drivers" but add adware or even malware. Whenever driver signing is enabled, Windows will help block these types of dubious packages by displaying warnings or preventing their installation.
Driver update and diagnostic tools
For users who prefer to delegate some of the work, there are specialized utilities for detecting outdated drivers and suggest newer versions, such as Driver Booster, Driver Talent, AVG Driver Updater, or more technical solutions like Snappy Driver Installer or DriverPack Solution. While these can be useful for locating hard-to-find packages, they should be used with caution, always verifying the source of the suggested drivers.
On the diagnostic side, tools such as DriverView, by NirsoftThese tools allow you to list all the drivers installed on the system and quickly distinguish which ones belong to Microsoft (with valid signatures) and which ones are from third parties. For example, this application displays Microsoft drivers with a white background and highlights those from other companies in red, making it easier to identify potential sources of problems.
DriverView lets you sort the list by company, filter to hide Microsoft drivers and focus on third-party ones, and see detailed information about each driver by double-clicking: name, path, version, company, etc. With this information, it's easier to decide whether a suspicious driver is part of trusted software or should be uninstalled to improve system stability or security.
Smartcards, certificates on card and Bit4id PKI Manager
In corporate and administrative environments, it is very common for certificates used for electronic signature, authentication or encryption They are stored on smart cards or cryptographic tokens. Managing these devices—including PIN, PUK, and importing and exporting certificates—requires specific tools such as Bit4id PKI Manager and its associated middleware.
Bit4id PKI Manager provides a view of connected devices (card readers, tokens) and, after logging in with the PIN, allows you to view the user and Certificate Authority (CA) certificates stored on the device. From its dashboard, you can perform tasks such as Unlock PIN with PUK, change PIN or PUK, log in and log out On the card, rename the device or import certificates in .p12/.pfx format that include the private key.
When importing a certificate, the application prompts you to select the file, enter the card PIN, the PFX/P12 container password, and optionally, a CKA_ID for use with PKCS#11. Conversely, it also allows export certificates in .cer formatcontaining only the public key, since the private key of a smartcard can never be extracted for security reasons.
An interesting additional feature is the ability to Automatically synchronize card certificates with the Windows certificate storeThis is essential so that applications like Microsoft Edge, Chrome, Opera, or Adobe Reader can use these certificates to authenticate or sign PDF documents from within the browser or application itself.
Certificate verification in Windows, browsers, and Adobe Reader
To verify that the card certificates have been correctly uploaded to the system, you can open the Windows certificate store Use certmgr.msc from the Start menu. Within the "Personal" → "Certificates" folder, the user certificates linked to the card should appear if the middleware has done its job correctly.
In the case of Firefox, which maintains its own independent certificate storeYou need to check the security and certificates section in your browser preferences. If the PKCS#11 modules are configured correctly and you enter your PIN when prompted, the smartcard certificates will also appear in the user and authority certificates tabs.
For Adobe Acrobat Reader, the path is through the “Preferences” menu → “Signatures” → “Trusted Identities and Certificates” and the “Windows Digital IDs” section. If the certificates are in the Windows certificate store, Adobe can use them directly for digitally sign PDF documentsThe typical workflow involves selecting “Use a certificate”, choosing the area of the PDF where the signature will be placed, selecting the appropriate certificate, and completing the process by entering the card PIN when prompted.
Troubleshooting common problems with drivers and certificates
When a driver starts behaving erratically or a hardware component stops working, the first thing to do is check the corresponding icon in the Device administratorA yellow icon indicates a problem with the driver: it may be corrupted, outdated, badly signed, or conflict with another piece of software.
Among the recommended actions are the use of Windows built-in hardware troubleshooterManually updating the driver from Device Manager, uninstalling and reinstalling the driver, or even reverting to a previous version if a recent update introduced the problem can all resolve the issue. In many cases, simply allowing Windows Update to reinstall the driver resolves the conflicts.
In more complex scenarios, such as multi-boot installations with older systems, errors like “Signing certificates are not installed” when installing GPU drivers on Windows 7 may require manually extract the installer files from the manufacturer and point the extraction folder in Device Manager to force the installation of the correct INF file. It also helps to ensure that Windows 7 has the updates that enable SHA-2 (such as KB3033929) and, if all else fails, consider temporarily disabling driver signing on that specific system, provided it remains isolated and uses drivers from a trusted source.
Finally, when the problem relates to smartcard certificates (inconsistent PINs, errors logging into the middleware, failures to load certificates into the store), it is advisable to gather all diagnostic information from the PKI Manager, installed versions, test results in browsers and applications, and forward it to the card provider or the Certification Authority to expedite the resolution of the incident.
In light of all the above, it is clear that the Advanced management of driver certificates and signatures in Windows It's not just a matter of "making the device work," but of combining security, compatibility, and best practices: choosing the right code signing certificates, monitoring their lifecycle in the Partner Center, respecting SHA-2 policies, knowing when and how to relax signing restrictions, leveraging tools like DriverView or Bit4id PKI Manager, and above all, always downloading and installing drivers and certificates from trusted sources, maintaining a balance between stability, functionality, and protection against low-level threats.