Get a powershell code signing cert from a Microsoft CA.

Summary:
This took me a little while to figure out.  Here are the basic steps.  This is so you can sign any scripts using your locally available domain CA.  By doing this, you can sign scripts and they will be authorized for use on your local domain.  This is so you can keep your powershell execution policy as remotesigned rather than unrestricted.
Request and Usage:
  1. Go to your certificate server’s URL.
  2. Select the “Request a certificate” Link
  3. Select the “advanced certificate request”
  4. Select “Create and submit a request to this CA”
    • If this link does not appear, you may be accessing from a browser other than Internet Explorer and/or your client (Windows Vista or newer) does not match the server version which may be Window 2003 in which case Windows XP would be needed.  Or you can generate a code signing CSR.  <-- Will add link when I figure out how to do this.  Seems possible through certreq.exe
    • Fill out the form w/ your pertinent information:
    • Type of Certificate Needed should be “Code Signing Certificate”
    • Key Size defaults to 1024, select what is appropriate based on your security needs.  My security dept. requires minimum 2048 when possible.
    • Check Mark Keys as exportable.
      • This is so you can export your code signing cert for use on other systems under your control.
    • (Optional): Check Store certificate in the local certificate store
      • This will store the cert in cert:\localmachine\my instead of cert:\currentuser\my
    • Cert_Request_001
  5. Once you’ve filled out the pertinent fields, you can submit your request.
  6. Visit the page once approved and select “View the status of a pending certificate request”
  7. Select your approved certificate link and install.
  8. Assuming you selected “store certificate in the local computer certificate store”, your cert will be located here in “cert:\localmachine\my”.
  9. To sign your powershell scripts do the following:
    • Set-AuthenticodeSignature C:\Path\ScriptName.ps1 (get-childitem cert:\localmachine\my -CodeSigningCert)
    • The above line assumes you only have one code signing cert, if you have multiples, you’ll need to adjust your get-childitem section.
Exporting your Code Signing Cert for use on other machines:
You’ll obviously only want to export and import this on machines you own.
  1. Open an MMC.exe Console.
  2. Add the Certificates Snapin, localmachine if you followed my steps above.
  3. Under Personal --> Certificates, right click your code signing cert, all tasks --> Export.
  4. Follow wizard, select ‘yes’ to export private key.
  5. PFX should be selected, select enable strong protection.
  6. Type in a password that you will remember.
  7. Place the exported pfx into a file path that is preferably secured.
  8. Click Finish.
You now have a code signing cert that you can import into other computers you own so you can sign powershell scripts where ever you may be.

No comments: