I am who I say I am because my CA says so
This article describes the use of self-signed code signing certificates on Microsoft Windows operating systems.
Create self-signed cert on Windows
Based on http://www.hanselman.com/blog/SigningPowerShellScripts.aspx
On Windows machines, in directory “C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin" invoke the makecert.exe GUI.
Setup a Certificate Authority (CA):
makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 220.127.116.11.18.104.22.168.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
Type in a Password twice for the Subject Key.
Type it in again.
See the cert under “Trusted root CA”.
Generates a personal certificate from the above certificate authority:
makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 22.214.171.124.126.96.36.199.3 -iv root.pvk -ic root.cer
Type in a password for the Issuer Signature.
See the cert under Personal.
Invoke mmc.exe, and add the Certificates snap-in for “My user account” to view certificates.
Verify the certificate is known within PowerShell:
Get-ChildItem cert:\CurrentUser\My -codesign
Delete in your working directory temporary files root.pvk and root.cer.
The certificate info is stored with that of others, in “C:\Documents and Settings[username]\Application Data\Microsoft\SystemCertificates\My".
Sign a script, replacing “c:\foo.ps1” with the full path to your script:
Set-AuthenticodeSignature c:\foo.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesign)
Use a text editor to view the script, which now has a signature block that begins with:
# SIG # Begin signature block"
Export for running elsewhere
PROTIP: When sending a script, also send along its Powershell certificates in the
Trusted Root Certification Authorities container.
Also send the Trusted Publishers file to prevent the first-time prompt from appearing.
Right-click and select Export for the Certificate Export Wizard GUI.
Leave “DER encoded binary X.509 (.CER)” selected and click Next.
Specify the file name after a full path and click Next.
PROTIP: It helps if everyone in an organization makes use of a company-standard folder.
Click OK to the “The export was successful” pop-up.
Verify a signed script can be used
More on DevOps
This is one of a series on DevOps:
- ci-cd (Continuous Integration and Continuous Delivery)
- Git and GitHub vs File Archival
- Git Commands and Statuses
- Git Commit, Tag, Push
- Git Utilities
- Data Security GitHub
- GitHub API
- Choices for DevOps Technologies
- Java DevOps Workflow
- AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
- Digital Ocean
- Cloud regions
- AWS Virtual Private Cloud
- Azure Cloud Onramp
- Azure Cloud
- Packer automation to build Vagrant images
Terraform multi-cloud provisioning automation
- Powershell Ecosystem
- Powershell on MacOS
- Jenkins Server Setup
- Jenkins Plug-ins
- Jenkins Freestyle jobs
- Dockerize apps
- Docker Setup
- API Management Microsoft
- Scenarios for load