KMCS (64-bit driver signing) question about RSA key length (2,048bits okay?)

Discussion in 'Windows 64bit' started by David Schwartz, Apr 15, 2009.

  1. All the tools that want to generate a CSR or key for 64-bit driver
    signing seem to want to create 1,024-bit RSA keys by default. I'd
    prefer to use a 2,048-bit RSA key. I'm concerned that these tools have
    made this hard for a reason -- perhaps Vista's kernel-mode signature
    checker can't handle a 2,048-bit key or the signing tools will barf on
    it or something.

    Can someone confirm for me that it's safe to use a 2,048-bit RSA key
    for Vista 64-bit driver signing? Or can someone tell me that it won't
    work?

    Thanks in advance.

    DS
     
    David Schwartz, Apr 15, 2009
    #1
    1. Advertisements

  2. David Schwartz

    Nick Newland Guest

    2048 bit keys should be fine as some of the root CA providers use keys of
    this length. I assume generating the key is for test signing the drivers?
     
    Nick Newland, Apr 15, 2009
    #2
    1. Advertisements

  3. I think that's true. I checked the cross-certificates, and some of
    them use 2,048-bit keys.
    It's for real, live deployed signing. Unsigned drivers can't be loaded
    by 64-bit Vista.

    DS
     
    David Schwartz, Apr 15, 2009
    #3
  4. David Schwartz

    Tim Roberts Guest

    True. You're clear that KMCS requires a certificate issued by the one of
    the short list of approved code-signing providers? You can't self-sign?
     
    Tim Roberts, Apr 17, 2009
    #4
  5. Yep. We're going with GlobalSign.

    DS
     
    David Schwartz, Apr 17, 2009
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.