Type something to search...
to navigateto selectESC to close

Self-Signed WHQL Certificate for Testing

Root Certificate

$params = @{
    Type = 'Custom'
    SerialNumber = '28cc3a25bfba44ac449a9b586b4339aa'
    KeyAlgorithm = 'RSA'
    HashAlgorithm = 'SHA256'
    NotBefore = (Get-Date -Year 2010 -Month 6 -Day 24 -Hour 5 -Minute 57 -Second 24)
    NotAfter = (Get-Date -Year 2035 -Month 6 -Day 24 -Hour 6 -Minute 4 -Second 1)
    KeyUsage = @('DigitalSignature','CertSign','CRLSign')
    Subject = 'CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation
    ,L=Redmond,S=Washington,C=US'
    FriendlyName = 'Microsoft Root Certificate Authority 2010'
    CertStoreLocation = 'Cert:\LocalMachine\My'
}
$rootCa = New-SelfSignedCertificate @params

Export the certificate to PFX in mmc. Save as root-ca-custom.pfx

Extract key:

openssl pkcs12 -in root-ca-custom.pfx -nocerts -out root-ca-key-enc.pem
openssl rsa -in root-ca-key-enc.pem -out root-ca-key.pem

Extract certificate:

openssl pkcs12 -in root-ca-custom.pfx -clcerts -nokeys -out root-ca-custom.cer

Result files:

  • root-ca-custom.pfx
  • root-ca-key.pem
  • root-ca-custom.cer

Intermediate CA

Print all attributes in hex:

openssl x509 -in int-ca.cer -certopt ext_dump -text -noout

Create config file

  • int-ca-cfg.cnf

    [ ca ]
default_ca = CA_default

[ req ]
default_bits        = 2048
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
x509_extensions     = v3_ca
prompt              = no
encrypt_key         = no

[ req_distinguished_name ]
C  = US
ST = Washington
L  = Redmond
O  = Microsoft Corporation
CN = Microsoft Windows Third Party Component CA 2012

[ v3_ca ]
keyUsage            = digitalSignature, certificateSign, crlSign
basicConstraints    = critical, CA:true
subjectKeyIdentifier= hash
authorityKeyIdentifier= keyid,issuer
extendedKeyUsage    = serverAuth, clientAuth
crlDistributionPoints = URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
authorityInformationAccess = CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt

[ certificate_extensions ]
authorityKeyIdentifier = keyid,issuer

[ CA_default ]
unique_subject = no
dir             = ./ca
database        = $dir/db
new_certs_dir   = $dir/newcerts
certificate     = ./root-ca-custom.cer
serial          = $dir/serial
private_key     = ./root-ca-key.pem
default_md      = sha256
policy          = policy_any
default_days    = 5475  # 15 years from the start date of Apr 18, 2012

[ policy_any ]
countryName            = match
stateOrProvinceName    = match
localityName           = match
organizationName       = match
commonName             = supplied

[ certificate ]
serialNumber          = 0x610BAAC100000000000009
signatureAlgorithm    = sha256WithRSAEncryption
validityNotBefore     = 20120418234838Z   # April 18, 2012, 23:48:38 GMT
validityNotAfter      = 20270418235838Z   # April 18, 2027, 23:58:38 GMT

  • int-ca-ext.cnf

    keyUsage  = digitalSignature, keyCertSign, cRLSign
basicConstraints    = critical, CA:true
subjectKeyIdentifier= hash
authorityKeyIdentifier= keyid,issuer
crlDistributionPoints = URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
authorityInfoAccess = caIssuers;URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
1.3.6.1.4.1.311.21.1 = DER:020100
1.3.6.1.4.1.311.20.2 = DER:1e0a00530075006200430041
mkdir ca
> ca/db
echo "610baac1000000000009" > ca/serial

Generate key & CSR:

openssl req -config int-ca-cfg.cnf -newkey rsa:2048 -keyout int-ca-key.pem -out int-ca.csr

Sign CSR:

openssl ca -config int-ca-cfg.cnf -out int-ca-custom.cer -startdate 20120418234838Z -enddate 20270418235838Z -cert root-ca-custom.cer -keyfile root-ca-key.pem -in int-ca.csr -extfile int-ca-ext.cnf

Result files:

  • int-ca.csr
  • int-ca-key.pem
  • int-ca-cfg.cnf
  • int-ca-ext.cnf
  • int-ca-custom.cer

Leaf Certificate

Print all attributes in hex:

openssl x509 -in whcp.cer -certopt ext_dump -text -noout

Create config file:

  • whcp-cfg.cnf

    [ ca ]
default_ca = CA_default

[ req ]
default_bits        = 2048
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
x509_extensions     = v3_ca
prompt              = no
encrypt_key         = no

[ req_distinguished_name ]
C  = US
ST = Washington
L  = Redmond
O  = Microsoft Corporation
CN = Microsoft Windows Hardware Compatibility Publisher

[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer:always
basicConstraints       = critical,CA:FALSE
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage       = codeSigning
subjectAltName         = @alt_names

[ alt_names ]
DNS.1 = Microsoft Corporation
serialNumber = 232825+502301

[ certificate_extensions ]
authorityKeyIdentifier = keyid,issuer

[ CA_default ]
unique_subject = no
dir             = ./ca
database        = $dir/db
new_certs_dir   = $dir/newcerts
certificate     = ./int-ca-custom.cer
serial          = $dir/serial
private_key     = ./int-ca-key.pem
default_md      = sha256
policy          = policy_any
default_days    = 5475  # 15 years from the start date of Apr 18, 2012

[ policy_any ]
countryName            = match
stateOrProvinceName    = match
localityName           = match
organizationName       = match
commonName             = supplied

[ certificate ]
serialNumber          = 0x610BAAC100000000000009
signatureAlgorithm    = sha256WithRSAEncryption
validityNotBefore     = 20120418234838Z   # April 18, 2012, 23:48:38 GMT
validityNotAfter      = 20270418235838Z   # April 18, 2027, 23:58:38 GMT

  • whcp-ext.cnf

    extendedKeyUsage  = 1.3.6.1.4.1.311.10.3.39,1.3.6.1.4.1.311.10.3.5,1.3.6.1.5.5.7.3.3
basicConstraints    = critical, CA:false
subjectKeyIdentifier= hash
authorityKeyIdentifier= keyid,issuer
crlDistributionPoints = URI:http://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202012.crl
authorityInfoAccess = caIssuers;URI:http://www.microsoft.com/pkiops/certs/Microsoft%20Windows%20Third%20Party%20Component%20CA%202012.crt
subjectAltName = dirName:dir_sect

[dir_sect]
OU = Microsoft Corporation
serialNumber=232825+502301

Generate key & CSR:

openssl req -config whcp-cfg.cnf -newkey rsa:2048 -keyout whcp-key.pem -out whcp.csr

Sign CSR:

openssl ca -config whcp-cfg.cnf -out whcp-custom.cer -startdate 20120418234838Z -enddate 20270418235838Z -cert int-ca-custom.cer -keyfile int-ca-key.pem -in whcp.csr -extfile whcp-ext.cnf

Result file:

  • whcp-cfg.cnf
  • whcp-ext.cnf
  • whcp.csr
  • whcp-key.pem
  • whcp-custom.cer

Package to PFX

openssl pkcs12 -export -out whcp-custom.pfx -inkey whcp-key.pem -in whcp-custom.cer -certfile int-ca-custom.cer -certfile root-ca-custom.cer
Tags :

Related Posts

Session Space

When debugging Windows kernels, sometimes you see addresses that “looks” like kernel space memory. It begins with 0xffff, resides within module presen

read more

!pte "Levels not implemented for this platform"

!pte command comes from extension kdexts.dll, which is bundled with debuggers for Windows package. The command performs machine type check with t

read more

Recursively Debug User-Mode Child Process

When you enable “debug child process” in WinDbg, it only attempts to debug the children. 0:000> sxe -c ".childdbg 1;bu wlanapi!WlanQueryInterfac

read more

Rundown Protection

Acquire with nt!ExAcquireRundownProtection. 0: kd> uf fffff802`148c8d80 nt!ExAcquireRundownProtection [minkernel\ntos\ex\rundown.c @ 333]: 3

read more

DISPATCHER_HEADER

See DISPATCHER_HEADER (geoffchappell.com)

read more

Power IRP Source

All Windows drivers / component / internally dispatch Power IRP with the routine. 0: kd> dt nt!PoRequestPowerIrp PoRequestPowerIrp long ( _D

read more

WDF

WDF is object based, the objects have to be created and manipulated by function calls to WDF itself. WDF objects are used by handles! Not their ptr t

read more

Block Linux driver with PCI Device ID

1. Find the device ID to blacklist nick@swae-ws:~$ lspci | grep VGA 43:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI]

read more

WinDbg System Uptime

Trace print code of “System Uptime” unicode string. 0:007> !for_each_module s-u @#Base @#End "System Uptime" 00007ffe`d8ec8e30 0053 0079 0073

read more

NT Wait Times

NT Wait Time OS store shared data as nt!_KUSER_SHARED_DATA . It is always mapped to 0xfffff78000000000 in all process. It is done through page t

read more

When entering S3/S4, GFX receives D0 request

What is the D0? Set BP on our handler, and filter by cond BP for set power state 12: kd> bl 0 e Disable Clear fffff802`7b359020 000

read more

0x19C.50 Stx S3S4Restart

6: kd> .bugcheck Bugcheck code 0000019C Arguments 00000000`00000050 ffff800b`a18fa380 00000000`00000000 00000000`000000006: kd> .thread

read more

0x9F.3 Strix Stress ACP

6: kd> .bugcheck Bugcheck code 0000009F Arguments 00000000`00000003 ffff948f`e9be4060 ffffe381`3d0ef040 ffff948f`ee90eba06: kd> !addrMap

read more

0x19C.50 Stx S4 Resume Video Playing

5: kd> .bugcheck Bugcheck code 0000019C Arguments 00000000`00000050 ffff808e`23621380 00000000`00000000 00000000`000000005: kd> !thread

read more

0x133.1 3xW6400 PBR

0: kd> .bugcheck Bugcheck code 00000133 Arguments 00000000`00000001 00000000`00001e00 fffff807`0a91c340 00000000`000000000: kd> !corelis

read more

0x9F.3 Strix S4

5: kd> .bugcheck Bugcheck code 0000009F Arguments 00000000`00000003 ffff800f`943e4360 ffffc906`fbaa7178 ffff800f`a4a6c7505: kd> !irp ffff

read more

0x50 AcpBt EBox Plug In

Issue Description Repro step:Boot system without EBOX connected normally connect EBOX with RTX3060 Wait 5s System BSODIssue CND if

read more

0x0 Live AcpWdfWorkItem Leak

Customer observed higher memory usage after using Edge to play music overnight. Captured live dump after playing music for a while. 0: kd> !p

read more

0x0 Live Lid Close Open Screen Dim

Symptom The display dims automatically 5s after lid close → open. Issue occurs only on SKUs with ToF sensor (HPD). Display Connect a live syste

read more

0x19C.50 Lid

2: kd> .bugcheck Bugcheck code 0000019C Arguments 00000000`00000050 ffffbf87`de64a3c0 00000000`00000000 00000000`000000002: kd> !thread

read more

0x9F.3 Gfx Stuck Cause Acp PoIrp Timeout

5: kd> .bugcheck Bugcheck code 0000009F Arguments 00000000`00000003 ffffcf07`04d3caf0 ffffcd04`6bb4f010 ffffcf07`0dec88a0 9: kd> k # Child-SP

read more

0x19C.50 WuReject PostT7Delay

In dce110_edp_backlight_control, we request a wait of "post_T7_delay". This wait was n

read more

0x133.0 NPU Line Interrupt

The BSOD sequence of event looks like this:OS is starting up NPU device.Something w

read more