KMCS (64-bit driver signing) question about RSA key length (2,048bits okay?)

Discussion in 'Windows 64bit' started by David Schwartz, Apr 15, 2009.

  1. All the tools that want to generate a CSR or key for 64-bit driver
    signing seem to want to create 1,024-bit RSA keys by default. I'd
    prefer to use a 2,048-bit RSA key. I'm concerned that these tools have
    made this hard for a reason -- perhaps Vista's kernel-mode signature
    checker can't handle a 2,048-bit key or the signing tools will barf on
    it or something.

    Can someone confirm for me that it's safe to use a 2,048-bit RSA key
    for Vista 64-bit driver signing? Or can someone tell me that it won't

    Thanks in advance.

    David Schwartz, Apr 15, 2009
    1. Advertisements

  2. David Schwartz

    Nick Newland Guest

    2048 bit keys should be fine as some of the root CA providers use keys of
    this length. I assume generating the key is for test signing the drivers?
    Nick Newland, Apr 15, 2009
    1. Advertisements

  3. I think that's true. I checked the cross-certificates, and some of
    them use 2,048-bit keys.
    It's for real, live deployed signing. Unsigned drivers can't be loaded
    by 64-bit Vista.

    David Schwartz, Apr 15, 2009
  4. David Schwartz

    Tim Roberts Guest

    True. You're clear that KMCS requires a certificate issued by the one of
    the short list of approved code-signing providers? You can't self-sign?
    Tim Roberts, Apr 17, 2009
  5. Yep. We're going with GlobalSign.

    David Schwartz, Apr 17, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.