In order to sign a driver you need a Code Signing Certificate - once purchased you can use it for a period of time to sign as much code/drivers as you like. For example, a 3 year certificate can be used for 3 years to sign drivers as needed. After 3 years, all your signed drivers still work great but you will have to buy a new cert if you have code you would like to sign a-new
We bought our cert from GlobalSign
Make an account, it will have a strange usrename that starts with PAR
You can click on Order Certificates - we already did so we have a certificate we paid for a few years ago, certificates cost ~$500
To re-download your certificate you'll have to click EDIT to the left of the Order ID. Which is so counter-intuitive but basically you are re-issuing the cert.
Continue through and pick a secure Pickup Password, this password is only used to download the certificate, it isnt the password for the cert itself!
Pick a hash algorithm. For backwards compatibility with XP SP2 you can request SHA-1 but these days you should probably just go with SHA-256 since it is more secure
Click Next...this will have the pickup email sent to the email address associated with the account.
Check your email, you'll have the pickup link in there. Click it!
You'll be asked for that password from before. If by chance you forgot it in the last 5 minutes, you'll need to start over.
You'll now be asked to be a private key for the certificate. You'll need this to install the certificate. Keep this secret from getting out or someone could be able to sign malware with your name, no good eh?!
OK finally - download the certificate file!
Go through the wizard to install the cert...
Make sure the right file is selected:
To install, you'll need to enter in that long private key you put in doing the pickup process. I recommend marking the key as exportable, so you don't have to go thru the pickup process if another person needs to install it and you lost the certificate file.
You can use the Automatic Store to put it in your cert manager
Now that you have the certificate, its easy to check it out in your Cert Manager. Visit
C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86 and run certmgr.exe
In Personal, you'll be able to see your signing cert!
You can click on Advanced to get more details about the cert:
Finally, you need the matching root certificate file from GlobalSign. Go here to download it, you'll need to cross-lookup the right cert, for SHA-256 its Root-R3.crt
Save the root certificate to your Desktop, you'll need it in the next step