Context Navigation

Changes between Version 69 and Version 70 of BuildingOnWindows

Timestamp:: 03/16/11 14:11:00 (13 years ago)
Author:: Samuli Seppänen
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

BuildingOnWindows

-                      v69
+                      v70
 = TAP-driver signing =
+The 64-bit versions of Windows Vista/7 (and later) only allow installing drivers with certificates that have Microsoft as CA. Or, in other words, drivers verified by Microsoft. Installation of unsigned nor unauthorized device drivers is not allowed by default. This is very problematic when testing the TAP-driver, as signing it after every small change makes no sense. Fortunately it ''is'' possible to self-sign the TAP-driver and configure Windows to accept self-signed (unauthorized) drivers. Several steps are required to make self-signed certificates work, all of which are described here.
+== Creating a test certificate ==
+The 64-bit versions of Windows Vista/7 (and later) only allow installing drivers with certificates that have Microsoft as CA. Or, in other words, drivers verified by Microsoft. Installation of unsigned nor unauthorized device drivers is not allowed by default. This is very problematic when testing the TAP-driver, as signing it after every small change makes no sense. Fortunately it ''is'' possible to self-sign the TAP-driver and configure Windows to accept self-signed (unauthorized) drivers. Several steps are required to make self-signed certificates work, all of which are described here briefly. However, to truly understand what's happening, read these two documents:
+ * [http://msdn.microsoft.com/en-us/windows/hardware/gg487332 Digital Signatures for Kernel Modules on Windows]
+ * [http://msdn.microsoft.com/en-us/library/ff546236%28v=vs.85%29.aspx How to Test-Sign a Driver Package]
+== Creating a test certificate on build computer ==
 Creating a test certificate (and it's keystore) is easy if Visual Studio is is installed. Open the Visual Studio command-line and issue
 {{{
+Makecert -r -pe -ss SubjectCertStoreName -n “CN=CertName” OutputFile.cer
+}}}
+For details on the syntax see [http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.80).aspx Makecert.exe reference]; for more details look into [http://msdn.microsoft.com/en-us/windows/hardware/gg487332 this] excellent document.
+Makecert -r -pe -ss teststore -n “CN=OpenVPN project test labs” teststore.cer
+}}}
+For details on the syntax see [http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.80).aspx Makecert.exe reference]; for more details look [http://msdn.microsoft.com/en-us/windows/hardware/gg487332 here].
+== Installing the test certificate to build and target computers ==
+Both build and target computers need to have the test certificate in their keystores. The ''build computer'' needs it for signing the driver catalog with ''signtool.exe''. The ''target computer'', on the other hand, needs to have the certificate installed to allow "trusting" it and loading it into the kernel.
+In both cases the certificate is imported using [http://msdn.microsoft.com/en-us/library/e78byta0%28v=vs.80%29.aspx certmgr.exe]:
+{{{
+certmgr.exe -add teststore.cer -s -r localMachine root
+certmgr.exe -add teststore.cer -s -r localMachine trustedpublisher
+}}}
+While usage of ''certmgr.exe'' is straightforward, it is included (only?) in the massive [http://www.microsoft.com/downloads/en/details.aspx?FamilyID=71deb800-c591-4f97-a900-bea146e4fae1&displaylang=en Microsoft Windows SDK for Windows 7 and .NET Framework 3.5 SP1] package.
+== Creating and signing the catalog file ==
+In order to sign the TAP-driver, you need to do three things:
+ * Create a catalog definition (.cdf) file with a text editor
+ * Create a catalog file with [http://msdn.microsoft.com/en-us/library/aa386967%28v=vs.85%29.aspx MakeCat.exe]
+ * Sign the catalog file with [http://msdn.microsoft.com/en-us/library/8s9b9yaz%28v=vs.80%29.aspx Signtool.exe]
+The catalog definition file (e.g. tap.cdf) can be relatively simple:
+{{{
+Add the example file here
+}}}
+Once the definition file is finished, generate the real catalog file:
+{{{
+makecat -v tap.cdf
+}}}
+Next sign the catalog file:
+{{{
+signtool sign /v /s teststore /n "OpenVPN project test labs" tap0901.cat
+}}}
+As long as the test certificate has been imported to the OS using ''CertMgr.exe'' (see above), this command should work.
 == Enabling test mode on target computer ==
 Windows "Test mode" can be switched on using the [http://www.ngohq.com/home.php?page=dseo Driver Signature Enforcement Overrider] tool. There are other alternatives, but these require more manual steps.
-== Installing test certificate to target computer ==
-Signing the driver (or EXE) is not enough: the target computer needs to trust the certificate. This is done by importing the certificate to Window's trusted keystore using [http://msdn.microsoft.com/en-us/library/e78byta0%28v=vs.80%29.aspx Certmgr.exe]. Unfortunately to get this tool you need to install the massive [http://www.google.fi/#hl=it&xhr=t&q=Microsoft+Windows+SDK+for+Windows+7+and+.NET+Framework+3.5+SP1&cp=62&pf=p&sclient=psy&site=&source=hp&aq=0&aqi=&aql=&oq=Microsoft+Windows+SDK+for+Windows+7+and+.NET+Framework+3.5+SP1&pbx=1&fp=f4ed5df9bfb5cc9f Microsoft Windows SDK for Windows 7 and .NET Framework 3.5 SP1] package. Once ''makecert.exe'' is installed, though, using it is straightforward:
-{{{
-certmgr.exe -add OutputFile.cer -s -r localMachine root
-certmgr.exe -add OutputFile.cer -s -r localMachine trustedpublisher
-}}}
-For details look [http://msdn.microsoft.com/en-us/windows/hardware/gg487332 here].
 = Troubleshooting =