There are several Certificate Authority (CA) companies that can sell your organization a signing certificate, which will allow you to sign your own driver packages. However, when submitting a driver package to Microsoft for WHQL certification, either as a new device/driver, or by reusing a previous submission through the Driver Update Acceptable (DUA) process, Microsoft currently requires that the submitted files be signed with an Authenticode signing certificate issued by VeriSign. 

Therefore, it is generally preferred to obtain the Microsoft Authenticode code signing certificate from VeriSign (now a part of Symantec Corporation). Before purchasing the certificate, it is recommended to search for possible promotional/discounted rates.  Historically, Microsoft has run a program providing for discounted prices for first-time  purchasers of VeriSign certificates. 

Authenticode code signing  certificates are usually sold on an annual or  multi-year basis. Once purchased, the signing certificate can normally be used to sign an unlimited number of driver package security catalog files (e.g., .cat files), along with other types of files (e.g., .exe executable programs). The certificate itself (i.e., typically a .pvk file, though other extensions are possible) needs to be kept physically secure, and should never be distributed publicly.