| 223 | | The 64-bit versions of Windows Vista/7 (and later) only allow installing drivers with certificates that have Microsoft as CA. Or, in other words, drivers verified by Microsoft. Installation of unsigned nor unauthorized device drivers is not allowed by default. This is very problematic when testing the TAP-driver, as signing it after every small change makes no sense. Fortunately it ''is'' possible to self-sign the TAP-driver and configure Windows to accept self-signed (unauthorized) drivers. As the steps involved are not trivial, they are described here. |
| 224 | | |
| 225 | | |
| 226 | | |
| | 223 | The 64-bit versions of Windows Vista/7 (and later) only allow installing drivers with certificates that have Microsoft as CA. Or, in other words, drivers verified by Microsoft. Installation of unsigned nor unauthorized device drivers is not allowed by default. This is very problematic when testing the TAP-driver, as signing it after every small change makes no sense. Fortunately it ''is'' possible to self-sign the TAP-driver and configure Windows to accept self-signed (unauthorized) drivers. Several steps are required to make self-signed certificates work, all of which are described here. |
| | 224 | |
| | 225 | == Creating a test certificate == |
| | 226 | |
| | 227 | Creating a test certificate (and it's keystore) is easy if Visual Studio is is installed. Open the Visual Studio command-line and issue |
| | 228 | |
| | 229 | {{{ |
| | 230 | Makecert -r -pe -ss SubjectCertStoreName -n “CN=CertName” OutputFile.cer |
| | 231 | }}} |
| | 232 | |
| | 233 | For details on the syntax see [http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.80).aspx Makecert.exe reference]; for more details look into [http://msdn.microsoft.com/en-us/windows/hardware/gg487332 this] excellent document. |
| | 234 | |
| | 235 | == Enabling test mode on target computer == |
| | 236 | |
| | 237 | Windows "Test mode" can be switched on using the [http://www.ngohq.com/home.php?page=dseo Driver Signature Enforcement Overrider] tool. There are other alternatives, but these require more manual steps. |
| | 238 | |
| | 239 | == Installing test certificate to target computer == |
| | 240 | |
| | 241 | Signing the driver (or EXE) is not enough: the target computer needs to trust the certificate. This is done by importing the certificate to Window's trusted keystore using [http://msdn.microsoft.com/en-us/library/e78byta0%28v=vs.80%29.aspx Certmgr.exe]. Unfortunately to get this tool you need to install the massive [http://www.google.fi/#hl=it&xhr=t&q=Microsoft+Windows+SDK+for+Windows+7+and+.NET+Framework+3.5+SP1&cp=62&pf=p&sclient=psy&site=&source=hp&aq=0&aqi=&aql=&oq=Microsoft+Windows+SDK+for+Windows+7+and+.NET+Framework+3.5+SP1&pbx=1&fp=f4ed5df9bfb5cc9f Microsoft Windows SDK for Windows 7 and .NET Framework 3.5 SP1] package. Once ''makecert.exe'' is installed, though, using it is straightforward: |
| | 242 | |
| | 243 | {{{ |
| | 244 | certmgr.exe -add OutputFile.cer -s -r localMachine root |
| | 245 | certmgr.exe -add OutputFile.cer -s -r localMachine trustedpublisher |
| | 246 | }}} |
| | 247 | |
| | 248 | For details look [http://msdn.microsoft.com/en-us/windows/hardware/gg487332 here]. |
