If you have a Trusted Root CA In your domain Environment you can use to Sign your PowerShell scripts In a few easy steps.
Update: This article will work on Windows 10 and Windows Server 2016
Request Code Signing Certificate
The first step is to request a Code Signing Certificate from your Trusted Root CA by:
Open MMC and open the Certificate snap In with Local User
Right Click on Personal -> Certificates – > Request New Certificate
Click on More Information under Code Signing
Add Value to the Common name ad Click Add and OK
Click Enroll
Click Finish
Next, you will see the new Certificate under Personal store
Signing Script
Next open PowerShell as Administrator
To view all you code Sign Certificates type:
Get-ChildItem cert:\CurrentUser\My -codesign
You will see all your code signing certificates In an order that start from 0, 1, 2
Next, I’ll Sign my script with the Certificate called Mycert which is located on location [1]
Set-AuthenticodeSignature c:\v1.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesign)[1]
Make sure the Status is set to Valid after running the cmdlet.
Once completed you will see the certificate code inside your script
Comments
2 responses to “How To Sign Your PowerShell Script Using Domain Trusted CA Certificate”
Hi,
I want to sign my script LoadAndParse.ps1.
I tried exactly – I think – that what you posted:
PS C:\…\X> $cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
PS C:\…\X> Set-AuthenticodeSignature LoadAndParse.ps1 $cert
Directory: C:\…\
SignerCertificate Status Path
—————– —— —-
UnknownError LoadAndParse.ps1
If I slightly modify my sequence of orders by adding one command and I get it signed – but now it is empty 🙁
PS C:\…\X> echo get-location > LoadAndParse.ps1
PS C:\…\X> $cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
PS C:\…\X> Set-AuthenticodeSignature LoadAndParse.ps1 $cert
Directory: C:\…\X
SignerCertificate Status Path
—————– —— —-
056260………….E24944E Valid LoadAndParse.ps1
Now the script has only the key-block – well it is surprising method to secure a script!!
How do I sign a script that is able to do something because the code remains untouched?
Thanks in advance,
Gooly
Got the solution.
PS-ISE saves in Unicode Big Endian which Set-AuthenticodeSignature does not understand.
Use Notepad++ to save the script in UTF-8 and you’re fine.
Sigh, if either the the error hint would point in the correct direction or Powershell would understand it’s own code – it would have saved me several hours!
I couldn’t imagine to use a non MS-produt to run a MS-script 🙁