As of late August 2013, all valid (not expired, not revoked) Comodo Code Signing Certificates can be used for Kernel-Mode Code Signing! (For Windows Vista through the first version of Windows 10***)

  1. Download the Comodo cross-signed CA that matches your Code Signing certificate's Root CA.

  2. Open an elevated Windows command prompt (cmd) and run signtool.exe:


    Example: signtool.exe sign /v /ac "AddTrustExternalCARoot_kmod.crt" /f my.pfx /tr "C:\myfile.dll"

Note: For most customers CROSS_SIGNED_COMODO_CA_HERE will be:

[KMCS] UTN-USERFirst-Object.


[KMCS] AddTrust External CA Root

Or if you purchased after Jan 1 2015, use the cross signed file from here

For more general information and instruction about kernel mode signing certificates, see Microsoft's Kernel-Mode Code Signing Walkthrough. (

*** Windows 10 anniversary edition started requiring use of an EV (Extended Validation) code signing certificate for driver signing. We do not yet offer EV code signing but are working closely with Comodo to bring that option to market as fast as possible.