DigiCert Code Signing for Drivers: WHQL Signing vs EV Code Signing

If you’re a software publisher or device manufacturer developing drivers for Windows, you can’t just compile your .sys files, bundle them in an installer, and call it a day. Drivers dig deep into the operating system’s core — they interact with hardware, kernel processes, and critical system functions. Because of this, Microsoft locks down driver installation with strict security checks to protect users from malicious or faulty drivers.

That’s where code signing comes in — and for drivers, it’s not optional. If your driver isn’t properly signed and approved, Windows will reject it outright, block installation, or show alarming warnings that scare off users and corporate IT teams alike.

Two terms often come up when you dive into Windows driver signing: EV Code Signing Certificates and WHQL Signing. They’re not the same, but they’re closely related in the driver trust chain. Many developers confuse the two — so let’s clear it up, step by step, and see how DigiCert Code Signing Certificates fit into both.

Why Drivers Need Code Signing

First, it helps to understand the why.

When you sign a driver, you’re attaching a verified cryptographic signature to the driver files (.sys, .cat, .inf files). This signature does two critical things:

1️⃣ It proves authenticity — the driver really came from you, the verified publisher, not some shady hacker who tampered with the file.
2️⃣ It guarantees integrity — the driver code hasn’t been modified since you signed it. If even one byte changes, Windows will reject the signature.

For standard user-mode applications, you can often get away with just a regular code signing certificate (OV) — but for drivers, Microsoft is much stricter because these files operate at the kernel level.

What is WHQL Signing?

WHQL stands for Windows Hardware Quality Labs. This is Microsoft’s official program to test, certify, and approve drivers for Windows.

When you submit a driver package to Microsoft for WHQL certification:

• Microsoft tests your driver in their labs for compatibility, stability, and security.

• If it passes, they sign it with a special Microsoft signature.

• This WHQL signature tells Windows that your driver is trusted by Microsoft and can be installed without additional warnings.

For many device makers (especially those shipping hardware to end-users), WHQL certification is practically mandatory — not only for user trust but because many OEM partners or big retailers won’t touch hardware without it.

Where Does DigiCert EV Code Signing Fit In?

Here’s where it gets interesting: You can’t submit a driver for WHQL certification unless you first sign it yourself — and that signature must come from an Extended Validation (EV) Code Signing Certificate.

In other words, the EV Code Signing Certificate acts as the “passport” that proves your identity to Microsoft’s Windows Hardware Developer Center Dashboard. Without it, you won’t even get past the front door.

Why EV? Because Microsoft wants maximum identity assurance for kernel-mode drivers. Standard (OV) code signing certificates aren’t strong enough. EV certificates, by contrast, require rigorous vetting and the private key is stored on a secure hardware token — meaning it can’t be easily stolen or copied.

So:

• To sign a standard app or user-mode driver, you can use OV, but it won’t get you WHQL.

• To sign a kernel-mode driver for Windows 10 or newer, Microsoft requires EV code signing.

• To submit for WHQL certification, you must sign with EV first

The Windows Driver Signing Chain: How It Works

Let’s connect the dots in plain English:

1️⃣ You develop your driver package — including your .sys driver file, .inf setup file, and .cat catalog file.

2️⃣ You sign the driver package with your DigiCert EV Code Signing Certificate.

• This confirms that the driver came from you, the verified publisher.

• It uses your EV certificate’s private key on a secure USB token — adding tamper resistance.

3️⃣ You submit the signed driver to Microsoft’s Windows Hardware Developer Center Dashboard.

• Microsoft tests the driver for compatibility and stability (this is the WHQL process).

• If the driver passes, Microsoft adds their own digital signature to the package.

4️⃣ When users install your driver, Windows checks both signatures.

• First, it checks your EV signature to confirm the package is legitimate.

• Then it checks Microsoft’s WHQL signature to see that it was officially approved.

5️⃣ If everything checks out, Windows installs the driver silently — no scary pop-ups, no red flags, no “untrusted publisher” errors.

What Happens if You Skip EV or WHQL?

Some developers think they can cut corners by signing drivers with a standard OV certificate or skipping WHQL altogether. This almost always backfires.

Starting with Windows 10 Anniversary Update and Windows 11:

• Kernel-mode drivers must be submitted to Microsoft for signing through the WHQL process.

• Your EV signature is required to submit the driver in the first place.

• If you skip WHQL, your driver won’t load by default. On modern 64-bit Windows, users can’t just “click to install” unsigned or improperly signed drivers. They’d have to disable driver signature enforcement — a risky step that very few users or IT admins will allow.

So practically speaking, if you want your driver to install cleanly, get loaded by the OS, and gain trust with users, you need both:
✅ DigiCert EV Code Signing Certificate for your signature.
✅ WHQL Signing to get Microsoft’s official blessing.

Does WHQL Cover All Versions of Windows?

This is another point of confusion. When your driver passes WHQL and gets Microsoft’s signature, it means:

• Your driver is trusted on all supported Windows versions that use that driver model (like Windows 10, Windows 11, Windows Server).

• The driver can be published via Windows Update, so your hardware works out of the box for end-users.

So yes — WHQL + EV covers you for modern Windows platforms and makes distribution far simpler.

Steps to Get WHQL with DigiCert EV Code Signing

Here’s what the process typically looks like:

1️⃣ Buy a DigiCert EV Code Signing Certificate — DigiCert is a trusted root CA with a strong reputation for developer trust.

2️⃣ Complete DigiCert’s strict identity verification process.

• For EV, you’ll receive a physical USB token to store your private key securely.

3️⃣ Sign your driver package files (.sys, .inf, .cat) with your EV certificate.

• Use Microsoft’s SignTool with /tr for timestamping so your signature stays valid even after the cert expires.

4️⃣ Create a Hardware Developer account on Microsoft’s Windows Hardware Developer Center Dashboard.

5️⃣ Upload your signed driver package for WHQL testing.

6️⃣ If your driver passes the tests, Microsoft signs it and sends you the signed package or publishes it via Windows Update.

Key Takeaway

The main thing to remember is that EV and WHQL work together, not separately. You need both to sign drivers the right way:

• EV Code Signing proves your identity.

• WHQL Signing proves your driver’s technical quality and compatibility.

Together, they keep Windows secure, protect your users, and help your drivers install smoothly — whether your customer is a casual home user or a major corporate IT department.

Conclusion

So, should you get a DigiCert EV Code Signing Certificate or rely only on WHQL?
You need both. There’s no “either/or” here — your EV certificate is your verified stamp that allows you to submit your driver for WHQL approval. Without it, you can’t even start.

If you’re building serious hardware, peripherals, or anything that requires kernel-level drivers, this is non-negotiable. Do it right the first time — protect your reputation, protect your users, and sleep well at night knowing your drivers won’t break Windows security.

FAQs

What is the difference between WHQL driver signing and EV code signing for Windows drivers?

WHQL signing refers to passing Microsoft’s Hardware Lab Kit (HLK) tests and getting your driver signed by Microsoft, certifying compatibility for Windows and enabling distribution through Windows Update.

EV code signing means your driver is signed with an Extended Validation certificate, confirming publisher identity and integrity, and is required for submission to Microsoft for either attestation signing or WHQL testing.

Do I need a DigiCert EV Code Signing certificate for all Windows driver submissions?

Yes, for both WHQL (HLK testing) and attestation signing on the Microsoft Partner Center, a valid EV Code Signing certificate is required to authenticate your submission and secure your driver’s trust on Windows platforms.

Can I use a regular DigiCert code signing certificate for driver signing?

No, regular/OV code signing certificates are not accepted for new driver submissions to Microsoft. Only EV (Extended Validation) code signing certificates meet Microsoft’s submission requirements for drivers.

Is EV code signing required for drivers on all Windows versions?

Attestation signing with an EV certificate is required for Windows 10 and newer. Earlier versions require WHQL signing or legacy cross-signing, but for modern compliance and future-proofing, EV is the standard.

Does EV code signing guarantee my driver will be distributed via Windows Update?

No, only drivers that pass WHQL (HLK) testing and certification are eligible for Windows Update distribution. Attestation-signed drivers, while trusted by Windows, cannot be published through Windows Update.

What happens if my EV certificate expires while my driver is in the field?

Already-signed and timestamped drivers remain valid and trusted, but you’ll need a current, valid EV certificate for new driver releases or updates.

How does DigiCert compare to other CAs for EV code signing and Windows driver submissions?

DigiCert is an approved Windows driver signing certificate authority and is widely trusted by Microsoft, offering broad platform compatibility, strong security, and robust support for hardware token and HSM deployment.

What is the difference between WHQL Signing and EV Code Signing for Drivers?

WHQL (Windows Hardware Quality Labs) Signing: This is required for drivers that will be distributed through Microsoft Update or Windows Update. It involves submitting your driver to Microsoft for certification to ensure compatibility with Windows operating systems.

EV Code Signing: Extended Validation Code Signing Certificates are used for signing drivers to provide the highest level of trust. These certificates display your company’s name during installation and are required for signing kernel-mode drivers and other sensitive system software.

Do I need both WHQL Signing and EV Code Signing for my driver?

Yes, if you want your driver to be distributed through Windows Update, you must first submit it for WHQL signing with Microsoft. After that, you can use an EV Code Signing Certificate to sign your driver, ensuring it’s trusted and secured by both Microsoft and end users.

How does WHQL Signing improve my driver’s reputation?

WHQL Signing ensures that your driver is compatible with Windows and meets Microsoft’s standards. Drivers signed with WHQL certificates are trusted by the Windows operating system and automatically recognized during installation, reducing warnings or rejections by Windows.

How long does the WHQL Signing process take?

The WHQL Signing process can take several days to weeks, depending on the complexity of the driver and the workload at Microsoft’s Hardware Lab. It involves rigorous testing to ensure compatibility with Windows OS versions.

Do I need EV Code Signing if my driver is WHQL signed?

While WHQL signing ensures that your driver is compatible with Windows, using EV Code Signing is highly recommended to increase trust and prevent security warnings. EV Code Signing ensures that users know the driver is from a verified and trusted source, improving the user experience during installation

What happens if I don’t sign my driver with WHQL or EV Code Signing?

If your driver is not signed with WHQL or EV Code Signing, users will encounter warnings during installation, and the driver might be flagged as untrusted by security software. For kernel-mode drivers, Windows may also block them from loading entirely if they aren’t signed with EV Code Signing.

How much does WHQL Signing cost compared to DigiCert EV Code Signing?

The cost of WHQL Signing varies, and it may depend on your partnership with Microsoft and the specifics of your driver. In contrast, DigiCert EV Code Signing Certificates are generally priced between $500–$700 per year. Keep in mind that WHQL involves additional testing and certification costs from Microsoft, whereas EV Code Signing provides a comprehensive solution for driver trust.

Can I use DigiCert EV Code Signing to sign Windows drivers for 64-bit systems?

Yes, DigiCert EV Code Signing Certificates can be used to sign drivers for both 32-bit and 64-bit Windows systems. Whether you are signing drivers for Windows 7, 8, 10, or 11, an EV Code Signing Certificate is compatible with all versions of Windows, providing the highest level of security and trust.