Skip to main content

Windows kernel mode signing changes and customer requirements for kernel signing


In the past Microsoft provided specific cross-certificates for each Certificate Authority that issues SPCs (Software Publisher Certificates) suitable to sign kernel-mode code[1]. Since 2021, Microsoft is the sole provider of kernel-mode code signatures. Microsofts Trusted Root Program no longer supports root certificates that have kernel mode signing capabilities[2].


This article provides answers to frequently asked questions about kernel-mode signing for Windows.

Please note although the “Entrust Root Certification Authority – G2” is still listed on Microsoft’s cross-certificate-list , Entrust does not issue certificates which support kernel-mode signing.

Entrust provides attestation signing [3] , which requires the use of an Entrust EV Codesigning Certificate in order to submit the driver to Microsofts Partner Center (also known as Hardware Dev Center Dashboard).

Further links:

Step-by-Step Guide provided my Microsoft:

Attestation signing a kernel driver for public release:

Microsoft’s partner center to create and manage driver submissions:

Windows 10 Kernel Mode Code Signing (KMCS) Requirements: .

[1] [2]