Signing a PowerShell script with self-signed certificates (and without makecert.exe)
I\'m trying to sign a .ps1 using self-signed certificates (the use case is for scripts I write myself on my private dev station, so no need to use - or pay for -
a
-
Thinking about this, you don't need a certificate chain trust, therefore, you don't need your first certificate. You can use the second certificate and move it into your Trusted Root folder and it will work. Using the first certificate and then creating another certificate seems to fail because the 'root' is self signed and then can't sign another certificate.
SELF SIGNED CERTIFICATE method
# Create a certificate to use for signing powershell scripts $selfsigncert = New-SelfSignedCertificate ` -Subject "CN=PowerShell Code Signing" ` -KeyAlgorithm RSA ` -KeyLength 2048 ` -Type CodeSigningCert ` -CertStoreLocation Cert:\LocalMachine\My\ # Move the root cert into Trusted Root CAs Move-Item "Cert:\LocalMachine\My\$($selfsigncert.Thumbprint)" Cert:\LocalMachine\Root # Obtain a reference to the code signing cert in Trusted Root $selfsignrootcert = "Cert:\LocalMachine\Root\$($selfsigncert.Thumbprint)" # Sign script Set-AuthenticodeSignature C:\powershell.ps1 $selfsignrootcertIf you have access to an Enterprise Root CA, you can use the method you have used in your question.
ENTERPRISE ROOT CA method (same method as you have in your question) - you need to know your Root CA certificate thumbprint
# Get Enterprise Root CA thumbprint $rootcert = get-childitem Cert:\LocalMachine\Root\XXXXXXXXXXXX # Generate certificate $fromrootcert = New-SelfSignedCertificate ` -Signer $rootcert ` -Subject "CN=PowerShell Code Signing" ` -KeyAlgorithm RSA ` -KeyLength 2048 ` -Type CodeSigningCert ` -CertStoreLocation Cert:\LocalMachine\My\ # Sign script Set-AuthenticodeSignature C:\powershell.ps1 $fromrootcert
加载中...
- 热议问题