How do I create a self-signed certificate for code signing on Windows?

Question

How do I create a self-signed certificate for code signing using tools from the Windows SDK?

Answer 1

As stated in the answer, in order to use a non deprecated way to sign your own script, one should use New-SelfSignedCertificate.

1. Generate the key:

New-SelfSignedCertificate -DnsName email@yourdomain.com -Type CodeSigning -CertStoreLocation cert:\CurrentUser\My

2. Export the certificate without the private key:

Export-Certificate -Cert (Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)[0] -FilePath code_signing.crt

The [0] will make this work for cases when you have more than one certificate... Obviously make the index match the certificate you want to use... or use a way to filtrate (by thumprint or issuer).

3. Import it as Trusted Publisher

Import-Certificate -FilePath .\code_signing.crt -Cert Cert:\CurrentUser\TrustedPublisher

4. Import it as a Root certificate authority.

Import-Certificate -FilePath .\code_signing.crt -Cert Cert:\CurrentUser\Root

5. Sign the script (assuming here it's named script.ps1, fix the path accordingly).

Set-AuthenticodeSignature .\script.ps1 -Certificate (Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)

Obviously once you have setup the key, you can simply sign any other scripts with it.
You can get more detailed information and some troubleshooting help in this article.