223 | | The 64-bit versions of Windows Vista/7 (and later) only allow installing drivers with certificates that have Microsoft as CA. Or, in other words, drivers verified by Microsoft. Installation of unsigned nor unauthorized device drivers is not allowed by default. This is very problematic when testing the TAP-driver, as signing it after every small change makes no sense. Fortunately it ''is'' possible to self-sign the TAP-driver and configure Windows to accept self-signed (unauthorized) drivers. Several steps are required to make self-signed certificates work, all of which are described here. |
224 | | |
225 | | == Creating a test certificate == |
| 223 | The 64-bit versions of Windows Vista/7 (and later) only allow installing drivers with certificates that have Microsoft as CA. Or, in other words, drivers verified by Microsoft. Installation of unsigned nor unauthorized device drivers is not allowed by default. This is very problematic when testing the TAP-driver, as signing it after every small change makes no sense. Fortunately it ''is'' possible to self-sign the TAP-driver and configure Windows to accept self-signed (unauthorized) drivers. Several steps are required to make self-signed certificates work, all of which are described here briefly. However, to truly understand what's happening, read these two documents: |
| 224 | |
| 225 | * [http://msdn.microsoft.com/en-us/windows/hardware/gg487332 Digital Signatures for Kernel Modules on Windows] |
| 226 | * [http://msdn.microsoft.com/en-us/library/ff546236%28v=vs.85%29.aspx How to Test-Sign a Driver Package] |
| 227 | |
| 228 | == Creating a test certificate on build computer == |
230 | | Makecert -r -pe -ss SubjectCertStoreName -n “CN=CertName” OutputFile.cer |
231 | | }}} |
232 | | |
233 | | For details on the syntax see [http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.80).aspx Makecert.exe reference]; for more details look into [http://msdn.microsoft.com/en-us/windows/hardware/gg487332 this] excellent document. |
| 233 | Makecert -r -pe -ss teststore -n “CN=OpenVPN project test labs” teststore.cer |
| 234 | }}} |
| 235 | |
| 236 | For details on the syntax see [http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.80).aspx Makecert.exe reference]; for more details look [http://msdn.microsoft.com/en-us/windows/hardware/gg487332 here]. |
| 237 | |
| 238 | == Installing the test certificate to build and target computers == |
| 239 | |
| 240 | Both build and target computers need to have the test certificate in their keystores. The ''build computer'' needs it for signing the driver catalog with ''signtool.exe''. The ''target computer'', on the other hand, needs to have the certificate installed to allow "trusting" it and loading it into the kernel. |
| 241 | |
| 242 | In both cases the certificate is imported using [http://msdn.microsoft.com/en-us/library/e78byta0%28v=vs.80%29.aspx certmgr.exe]: |
| 243 | |
| 244 | {{{ |
| 245 | certmgr.exe -add teststore.cer -s -r localMachine root |
| 246 | certmgr.exe -add teststore.cer -s -r localMachine trustedpublisher |
| 247 | }}} |
| 248 | |
| 249 | While usage of ''certmgr.exe'' is straightforward, it is included (only?) in the massive [http://www.microsoft.com/downloads/en/details.aspx?FamilyID=71deb800-c591-4f97-a900-bea146e4fae1&displaylang=en Microsoft Windows SDK for Windows 7 and .NET Framework 3.5 SP1] package. |
| 250 | |
| 251 | == Creating and signing the catalog file == |
| 252 | |
| 253 | In order to sign the TAP-driver, you need to do three things: |
| 254 | |
| 255 | * Create a catalog definition (.cdf) file with a text editor |
| 256 | * Create a catalog file with [http://msdn.microsoft.com/en-us/library/aa386967%28v=vs.85%29.aspx MakeCat.exe] |
| 257 | * Sign the catalog file with [http://msdn.microsoft.com/en-us/library/8s9b9yaz%28v=vs.80%29.aspx Signtool.exe] |
| 258 | |
| 259 | The catalog definition file (e.g. tap.cdf) can be relatively simple: |
| 260 | |
| 261 | {{{ |
| 262 | Add the example file here |
| 263 | }}} |
| 264 | |
| 265 | Once the definition file is finished, generate the real catalog file: |
| 266 | |
| 267 | {{{ |
| 268 | makecat -v tap.cdf |
| 269 | }}} |
| 270 | |
| 271 | Next sign the catalog file: |
| 272 | |
| 273 | {{{ |
| 274 | signtool sign /v /s teststore /n "OpenVPN project test labs" tap0901.cat |
| 275 | }}} |
| 276 | |
| 277 | As long as the test certificate has been imported to the OS using ''CertMgr.exe'' (see above), this command should work. |