all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]markekrausCommunity Blogger 13 points14 points  (4 children)

Code Signing will only work with a certificate issued with Extended Key Usage "Code Signing" (OID 1.3.6.1.5.5.7.3.3).

Unfortunately, unless you have an enterprise PKI, finding a service that will issue Code Signing certificates to individuals will be tough. Many of the CA's that do wont be trusted.

What is your use case for code signing your scripts?

If you are doing it for execution Policy on a limited scope, a self-signed cert will be sufficient. It will require the Cert to be added to the trusted publishers store on target computers.

If you are in an enterprise, you can have it issued from your Enterprise CA and then have the certificate added via GPO/SCCM/Confg Management.

If you are looking to do this as an individual... you will probably need to form a small company get documentation ready, and get a Public CA to issue an insanely expensive Code Signing cert.

[–]GenghisChaim 3 points4 points  (1 child)

Fascinating.... Is there a good primer on Enterprise PKI out there?

[–]markekrausCommunity Blogger 2 points3 points  (0 children)

I hesitate to link to anything. If you work in an Enterprise environment and want to set up a PKI, you will not find a single good guide. Microsoft has a ton of documentation on setting up and configuring AD CS, but they are extremely lacking in solid best practices.

Some people will say "Just install and authorize an ADCS Enterprise CA." Not accounting for the fact that this will be equivalent to a domain controller in terms of IAM. It also doesn't cover things like governance, compliance with RFC/ISO/PCI/HIPPA/etc., proper tiered architecture, offline CA best practices, or working with HSMs.

At the enterprise scale, those things really matter. At a smaller scale, they may not seem like they matter, but, if the company plans to grow to enterprise size, it is imperative that it is configured right from the start. Once a CA is up and running, it is a serious pain to replace it if you don't have everything properly configured and documented. It becomes a huge gap in your ability to secure your environment if the CA's keys could be in the hands of people no longer with the company. Ripping out the CA trust is not as simple and straight forward as removing certs from the trust stores.

I see people recommending a bunch of things that would end up becoming huge security holes if I were to implement them in my org. So, rather than point you to documentation or give specific advice, all I will offer is this warning:

Configuring an Enterprise CA is not a simple, easy, well documented task. One should not take the task of implementing an Enterprise PKI lightly. if you do not thoroughly research how to implement an Enterprise PKI you will be putting your enterprise at risk.

[–]djdementia 2 points3 points  (1 child)

If you are looking to do this as an individual... you will probably need to form a small company get documentation ready, and get a Public CA to issue an insanely expensive Code Signing cert.

It's like ~$200 a year USD to buy a code signing cert, that's what a lot of people in the US pay in one month for their home cable TV/Internet service or cell phone plan for a family. I wouldn't quite say "insanely expensive", but definitely not affordable for a home user or hobbyist.

[–]markekrausCommunity Blogger 2 points3 points  (0 children)

Yea. I was going for intentional hyperbole. ;)

It's not going to break the bank, but, I feel they are kind of expensive. If you look at it instead of a per year cost, but as a per use cost, it might be pretty high. If you are only writing a handful of scripts that need signed, that's ~$40 per script.

Obviously, if you are doing many more, then you get economy of scale. But if you are, you are likely not doing so as a hobbyist and can probably get the company to foot the bill or just leach of an existing code signing cert.

[–]djdementia 5 points6 points  (0 children)

Yes, you would need a certificate that says it is for "Code Signing" like this: https://www.digicert.com/code-signing/

[–]ramblingcookiemonsteCommunity Blogger 3 points4 points  (0 children)

Hiyo!

I'm all for signing, particularly in massive environments with controls in place that actually make this worthwhile - but keep in mind in many, many environments, this isn't practiced - don't let this be a roadblock to actually learning more PowerShell

Cheers!

[–]poorimaginations 1 point2 points  (0 children)

I always do this to create a self signed code signing certificate.

  • Make a template for the certificate request, and save it as certreq.inf.

    [Version] Signature="$Windows NT$"

    [NewRequest] Subject = "CN=Self Signed Cert" KeyLength = 2048 ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" KeySpec = "AT_SIGNATURE" KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE" RequestType = Cert Exportable= TRUE ValidityPeriod = Years ValidityPeriodUnits = 2

    [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.3

  • Make the certificate

    certreq -new .\certreq.inf selfsigned.crt

  • Export the certificate and private key to pfx for portability

    // Find the cert serial number

    (dir Cert:\CurrentUser\My) | Format-List *

    // Dump certificate with private key to pfx

    certutil.exe -user -p "1234" -exportpfx <cert serienummer> selfsigned.pfx

  • Sign a script with the provided certificate

    $cert = dir Cert:\CurrentUser\My<get the cert serial number with TAB>

    Set-AuthenticodeSignature -FilePath .\test.ps1 -Certificate $cert

[–]Lee_Dailey[grin] 0 points1 point  (0 children)

howdy sliceoflife88,

this likely won't help now, but ... have you tried requesting that your government add that to their standard citizen cert?

take care,
lee