Authenticode Signing of Third-party Cryptographic Service Providers (CSPs)
Third-party Authenticode signing for custom Cryptographic Service Providers (CSPs) is available in Windows Vista and later.
Consequently, Microsoft will no longer sign CSPs, and the manual CSP signing service has been retired. Emails and CSPs sent to cspsign@microsoft.com or cecspsig@microsoft.com to be signed will no longer be processed by Microsoft.
Instead, all third-party CSPs can now be self-signed by following this procedure:
- Purchase a code-signing certificate from a Certificate Authority (CA) for which Microsoft also issues a cross-certificate. The Cross-Certificates for Kernel Mode Code Signing topic provides a list of CAs for which Microsoft also provides cross-certificates and the corresponding cross-certificates. Note that these are the only cross-certificates that chain up to the “Microsoft Code Verification Root” issued by Microsoft, which will enable Windows to run third-party CSPs.
- After you have a certificate from the CA and the matching cross-certificate, you can use SignTool to sign all your CSP binaries.
- SignTool is included in the latest versions of Visual Studio. It is also included in the WDK version 7.0 and newer versions. Note that the SignTool that ships with earlier versions of the WDK is not compatible with cross-certificates and cannot be used to sign your binaries.
Note
Starting with Windows 8, it is no longer a requirement that CSPs must be signed.
You can sign binaries from a command-line, or sign as an integrated build step in Visual Studio 2012 and newer.
The command to SignTool is:
signtool.exe sign /ac <cross-certificate_from_ms> /sha1 <sha1_hash> /t <timestamp_server> /d <”optional_description_in_double_quotes”> <binary_file.ext>
- <cross-certificate_from_ca> is the cross-certificate file you downloaded from Microsoft
- <sha1_hash> is the SHA1 thumbprint that corresponds to the code signing certificate
- <timestamp_server> is the server used to timestamp the signing operation
- <"optional_description_in_double_quotes"> is an optional friendly-name description
- <binary_file.ext> is the file to sign
For example:
signtool.exe sign /ac certificate.cer /sha1 553e39af9e0ea8c9edcd802abbf103166f81fa50 /t "http://timestamp.digicert.com" /d "My Cryptographic Service Provider" csp.dll
Note
It is unnecessary to include resource ID #666 in the CSP DLL, or the signature in the registry, as was required for older CSP signatures.
Additional Help and Support
You can try the Application Security for Windows Desktop forum for assistance.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for