Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista

For Windows Vista and later versions of the Windows family of operating systems, kernel-mode software must have a digital signature to load on x64-based computer systems.

This paper describes how to manage the signing process for kernel-mode code for Windows Vista, including how to obtain a Publisher Identity Certificate (PIC), guidelines for protecting keys, and how to sign a driver package by using tools that are provided in the Windows Driver Kit (WDK).

Why digital signatures? For both consumer and enterprise users of Windows around the world, protecting personal and corporate data remains a top concern. Microsoft is committed to implementing new ways to help restrict the spread of malicious software. Digital signatures for kernel-mode software are an important way to ensure security on computer systems.

Digital signatures allow the administrator or end user who is installing Windows-based software to know whether a legitimate publisher has provided the software package. When users choose to send Windows Error Reporting data to Microsoft after a fault or other error occurs, Microsoft can analyze the data to know which publishers' software was running on the system at the time of the error. Software publishers can then use the information provided by Microsoft to find and fix problems in their software.