Skip to content
This repository has been archived by the owner on Sep 26, 2024. It is now read-only.

Certificate chains #361

Open
matelich opened this issue Sep 7, 2022 · 4 comments
Open

Certificate chains #361

matelich opened this issue Sep 7, 2022 · 4 comments

Comments

@matelich
Copy link

matelich commented Sep 7, 2022

The cert we had been using for creating retail builds expired and we use a homegrown tool which launches ApplyUpdate -stage [cab], ApplyUpdate -commit to perform updates of our software. I'm trying to get a new update out the door and my current cert I'm using is failing with "A certificate chain could not be built to a trusted root authority."

I'm not sure how to determine if I'm fully out of luck because there would be no acceptable root authorities, or if I just need a different cert. Original was Verisign, new is Digicert.

I'd love to be able to keep shipping updates to devices with my FFU built in 2019 (10.0.17763.253).

@parameshbabu
Copy link
Contributor

Hi, we have recommended to move to SHA2 based signing (see https://github.com/ms-iot/iot-adk-addonkit#17763-v7-branch) as the sha1 certificates are expiring/expired and not planned to be supported further. Can you see the instructions in the link and update your devices?

@matelich
Copy link
Author

matelich commented Sep 8, 2022 via email

@matelich
Copy link
Author

I guess the answers I was hoping for were
a) Yes, we have a signed cab file which will install the new cross certificates and you're ok for the next year to make a plan for upgrading your shipped products.

  • Or if the device is Windows-Updated, it will get the new certs.
    b) No, there is no hope for updating an existing installation

@saapte
Copy link
Contributor

saapte commented Oct 11, 2022

@matelich For migration of existing devices from cross-signed > custom signed binaries, follow the same steps as for a new FFU (except the FFU generation). Once the v7 versions of the Secure Boot, Device Guard, and your custom cert signed packages are ready, they can be deployed via Device Update Center, or manually using applyupdate.exe.

A few things to be careful with:

  1. On the latest IoT builds, it's imperative that you build and deploy both the new version of secure boot and device guard when migrating to custom signed binaries, and not device guard alone
  2. Please sure that the host you use to build these packages is running Enterprise with major version 17763 (1809), and not 21H2 or some other version.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants