How Driver Signing Works, From Vendor Build to Your Computer
A behind-the-scenes look at the certificate chain that turns a freshly compiled driver into something an operating system will trust.
It Starts With a Code-Signing Certificate
A driver vendor begins by buying a code-signing certificate from a recognised certificate authority — DigiCert, Sectigo, GlobalSign, and a few others. The CA verifies the vendor's identity through paperwork and only then issues the certificate.
For Windows kernel drivers specifically, the bar is higher: the certificate must be a special EV (Extended Validation) certificate, with even stricter identity checks. This is one reason why malicious kernel drivers remain comparatively rare.
Windows' Attestation Step
On modern Windows, after the vendor signs a driver with their certificate, they upload it to Windows' portal. Windows runs additional automated tests, then countersigns the driver itself. This second signature is what current Windows requires before loading a kernel driver.
This two-layer system makes life much harder for attackers. Even if a vendor's certificate were stolen, the driver would still need Windows' countersignature to load on Windows 10 and 11.
What Your OS Checks at Load Time
When you plug in a device or start your computer, the OS reads each driver, verifies its signature against installed root certificates, and decides whether to load it. The check is fast — a few milliseconds — but cryptographically strong.
If the chain breaks, the OS refuses to load the driver and the device will not work. The user gets a friendly error rather than a system crash, which is a much better outcome than the alternative.
Quick Answers
Frequently Asked Questions
The questions readers send us most often on this topic.
Because they run with the highest privileges. EV certificates require stricter identity verification by the certificate authority.
Windows' portal where vendors submit their signed drivers, after which Windows applies its own signature for kernel-mode trust.
It has happened, but Windows' attestation step and certificate revocation usually shut down compromised certificates quickly.
Keep Reading
Related Overviews on PrintSoftDriver
Hand-picked articles that pair well with this one.
Want More Plain-English Driver Reads?
We translate the technical so you can focus on using your computer rather than fighting it.