How To Sign Your PowerShell Script Using Domain Trusted CA Certificate

If you have a Trusted Root CA In your domain Environment you can use to Sign your PowerShell scripts In a few easy steps.

Update: This article will work on Windows 10 and Windows Server 2016

The first steps is to request a Code Signing Certificate from your Trusted Root CA by:

Open MMC and open the Certificate snap In with Local User

Right Click on Personal -> Certificates – > Request New Certificate

Click on More Information under Code Signing

Add Value to the Common name ad Click Add and OK

Click Enroll

Click Finish

Next you will see the new Certificate under Personal store

Signing Script

Next open PowerShell as Administrator

To view all you code Sign Certificates type:

Get-ChildItem cert:\CurrentUser\My -codesign

You will see all your code signing certificates In an order that start from 0, 1, 2

Next I’ll Sign my script with the Certificate called Mycert which is located on location [1]

Set-AuthenticodeSignature c:\v1.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesign)[1]
 

Make sure the Status is set to Valid after running the cmdlet.

Once completed you will see the certificate code inside your script

2 Replies to “How To Sign Your PowerShell Script Using Domain Trusted CA Certificate”

  1. Hi,
    I want to sign my script LoadAndParse.ps1.
    I tried exactly – I think – that what you posted:
    PS C:\…\X> $cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
    PS C:\…\X> Set-AuthenticodeSignature LoadAndParse.ps1 $cert
    Directory: C:\…\
    SignerCertificate Status Path
    —————– —— —-
    UnknownError LoadAndParse.ps1

    If I slightly modify my sequence of orders by adding one command and I get it signed – but now it is empty 🙁

    PS C:\…\X> echo get-location > LoadAndParse.ps1
    PS C:\…\X> $cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
    PS C:\…\X> Set-AuthenticodeSignature LoadAndParse.ps1 $cert

    Directory: C:\…\X

    SignerCertificate Status Path
    —————– —— —-
    056260………….E24944E Valid LoadAndParse.ps1

    Now the script has only the key-block – well it is surprising method to secure a script!!

    How do I sign a script that is able to do something because the code remains untouched?
    Thanks in advance,
    Gooly

  2. Got the solution.
    PS-ISE saves in Unicode Big Endian which Set-AuthenticodeSignature does not understand.
    Use Notepad++ to save the script in UTF-8 and you’re fine.

    Sigh, if either the the error hint would point in the correct direction or Powershell would understand it’s own code – it would have saved me several hours!

    I couldn’t imagine to use a non MS-produt to run a MS-script 🙁

Comments are closed.