Signing 64 Bit Driver with SHA-2 certificate

[pkhach]

I am a bit confused.

While ordering the certificate I was advised to select the SHA-2 certificate because Microsoft will deprecate SHA-1 soon.

But this certificate does not work with Windows 64 bit driver, although your cross-certificates are listed on Microsoft website in new cross-certificate list (AddTrust External CA Root and UTN-USERFirst-Object).
http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454%28v=vs.85%29.aspx

Now your support team is asking me to re-order the SHA-1 certificate instead of SHA-2.

I don't know what to do... 

[Sal Amander]

I am a bit confused.

While ordering the certificate I was advised to select the SHA-2 certificate because Microsoft will deprecate SHA-1 soon.

But this certificate does not work with Windows 64 bit driver, although your cross-certificates are listed on Microsoft website in new cross-certificate list (AddTrust External CA Root and UTN-USERFirst-Object).
http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454%28v=vs.85%29.aspx

Now your support team is asking me to re-order the SHA-1 certificate instead of SHA-2.

I don't know what to do... 

I'm sorry for the confusion but its unfortunately out of any CAs hands. As far as we're aware, Microsoft does not (yet) support SHA-2 for Windows Vista or 7 on Kernel Mode Drivers. SHA-1 is the only option at this time if you wish to sign drivers.

See this post from Kelvin Yiu (from Microsoft) on the CA/Browser Forum public archives for proof: https://cabforum.org/pipermail/public/2014-April/003182.html

[Sal Amander]

Yesterday was "Patch Tuesday" and Microsoft released an update so that SHA-2 signed certificates now work with Windows 7 & Server 2008/R2 and Kernel Mode Code Signing (KMCS) -- https://technet.microsoft.com/en-us/library/security/2949927.aspx

Edit: Seems Microsoft pulled the update 3 days later on 17 October with no further update.

[faustinobsd]

Hi, I have the same issue with SHA256 certificate. It seems Microsoft already made a KB patch, but as I am distributing my software worldwide, I can't ensure that my users have Windows 7 updated.
Will Comodo issue a SHA1 certificate to me?

Thanks

[Aftn]

Hi, I have the same issue with SHA256 certificate. It seems Microsoft already made a KB patch, but as I am distributing my software worldwide, I can't ensure that my users have Windows 7 updated.
Will Comodo issue a SHA1 certificate to me?

Thanks

What Microsoft's KB patch or smth else currently solves issue with SHA256 Kernel Mode Code Signing (KMCS) certificate for Windows 7?

Upd:
Is it this one:   https://technet.microsoft.com/en-us/library/security/3033929   ?
But it has bad reviews as causig cyclic rebooting.