Windows Kernel Driver Code Signing and SHA256

I am trying to sign a windows kernel driver with a SHA-256 certificate. I've been back and forth with MS support with no change in status. I've tried SignTool.exe from both the 32- and 64- bit directories of 3 different WDKs (7600, 8.0, 8.1).

My private key lives in a Luna CSP. I have the local cert and the cross-signing cert, and I can sign a SHA-1 signature to the driver in question, but any time I try to sign a SHA-256 cert, I get an error:

SignTool Error: An unexpected internal error has occurred. Error information: "Error: SignerSign() failed." (-2146893795/0x8009001d)

I've searched for this error, but it seems to be unique to me. Since certs are private, I've redacted some information here. Please let me know if there is more I can provide to help solve the issue.

This works, and signs with a SHA-1 signature:

signtool.exe sign /ac "<path>\MSCV-VSClass3.cer" /f "<cert>.cer" /csp "Luna Cryptographic Services for Microsoft Windows" /kc <keystore> /t http://timestamp.verisign.com/scripts/timstamp.dll $file

These give me the above error:

signtool.exe sign /ac "<path>\MSCV-VSClass3.cer" /f "<cert>.cer" /csp "Luna Cryptographic Services for Microsoft Windows" /kc <keystore> /fd sha256 /sha1 <cert thumbprint> /tr http://timestamp.verisign.com/scripts/timstamp.dll /td sha256 $file

signtool.exe sign /ac "<path>\MSCV-VSClass3.cer" /f "<cert>.cer" /csp "Luna Cryptographic Services for Microsoft Windows" /kc <keystore> /fd sha256 /sha1 <cert thumbprint> /t http://timestamp.verisign.com/scripts/timstamp.dll $file

signtool.exe sign /ac "<path>\MSCV-VSClass3.cer" /f "<cert>.cer" /csp "Luna Cryptographic Services for Microsoft Windows" /kc <keystore> /fd sha256 /sha1 <cert thumbprint> /as /tr http://timestamp.verisign.com/scripts/timstamp.dll /td sha256 $file

Adding /v /debug to the command line provides additional output, but has not offered any help with the error.

I'm signing this on a Win7 x64 machine that I have confirmed has access to the Luna server.