Last active
December 20, 2018 11:04
-
-
Save miracles1315/cc43582162294485a57e68ae118eaa63 to your computer and use it in GitHub Desktop.
This script creates a self-signed code signing certificate that can be used for testing purposes to to sign scripts.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
This script creates a self-signed certificate, exports it, and re-imports it into the Trusted Root Certification Authorities store. | |
.DESCRIPTION | |
This script creates a self-signed code signing certificate, valid for one year from the date/time created, that can be used for testing purposes to sign scripts. After the certificate is created, the issuer is untrusted. So, the script then exports the certificate into a .cer file and re-imports it into the Trusted Root Certification Authorities store for the current user (i.e. Cert:\CurrentUser\Root). | |
.PARAMETER DnsName | |
Specify one, or more, DNS names to put into the subject alternative name (SAN) extension of the certificate. The first DNS name is also saved as the subject name, issuer name (i.e. Issued By), and common name (i.e. Issued To). Default is the local computer name (i.e. $Env:ComputerName). This parameter has aliases of SubjectAlternativeName and SAN. | |
.PARAMETER FileName | |
The .cer file you want to export the code signing certificate to. | |
.EXAMPLE | |
New-CodeSigningCertificate.ps1 -FileName C:\cert.cer -DnsName Server1 | |
OR | |
PS C:\>New-CodeSigningCertificate.ps1 -FileName C:\cert.cer -SubjectAlternativeName Server1 | |
OR | |
PS C:\>New-CodeSigningCertificate.ps1 -FileName C:\cert.cer -SAN Server1 | |
Creates a self-signed code signing certificate with a common name, subject name, & issuer name of Server1 and exports the certificate into a file in the C:\ directory called cert.cer. | |
.EXAMPLE | |
New-CodeSigningCertificate.ps1 -FileName C:\cert.cer Server1,www.contoso.com | |
Creates a self-signed code signing certificate with Server1 and www.contoso.com as the SAN entries. Server1 is also listed as the common name (i.e Issued To), subject name, & issuer name. The certificate is exported into a file in the C:\ directory called cert.cer. | |
.EXAMPLE | |
New-CodeSigningCertificate.ps1 cert.cer | |
Creates a self-signed code signing certificate with a common name, subject name, & issuer name of the local computer name and exports the code signing certificate into a file called cert.cer, in the local directory. | |
.EXAMPLE | |
New-CodeSigningCertificate.ps1 cert.cer -Verbose | |
Creates a self-signed code signing certificate with a common name, subject name, & issuer name of the local computer name and exports the code signing certificate into a file called cert.cer, in the local directory, while showing verbose details of what the script is doing. | |
.INPUTS | |
File name & one, or more, DNS names (i.e. SAN entries). | |
.OOUTPUTS | |
A .cer certificate file. | |
.NOTES | |
1. THIS CODE IS MADE AVAILABLE "AS IS", WITHOUT WARRANTY OF ANY KIND. THE ENTIRE RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER. | |
2. When importing the certificate into the Trusted Root Certification Authorities store for the current user (i.e. Cert:\CurrentUser\Root), you will get a security warning pop-up that says something like the below. This is expected since doing so represents a security risk. Read the security warning message to understand the implications of installing the untrusted certificate. | |
Note: In order for the self-signed code signing certificate to work, you will need to click on the Yes button of the security warning prompt. | |
--Security Warning pop-up message: | |
You are about to install a certificate from a certification authoritity (CA) claiming to represent: | |
<The first name you specify for the -DnsName parameter> | |
Windows cannot validate that the cerificate is actually from "<The first name you specify for the -DnsName parameter>". | |
You should confirm its origin by contacting "<The first name you specify for the -DnsName parameter>". The following number will assist you in this process: | |
Thumbprint (sha1): <Thumbprint of the self-signed code signing certificate that the script creates> | |
Warning: | |
If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk. If you click "Yes" you acknowledge this risk. | |
Do you want to install this certificate? | |
3. Once this script has completed, you will need to use the Set-AuthenticodeSignature cmdlet to sign your scripts. See the help information (i.e. Help Set-AuthenticodeSignature -Full) for full details, including examples. | |
.LINK | |
about_Signing | |
New-SelfSignedCertificate | |
Export-Certificate | |
Import-Certificate | |
Set-AuthenticodeSignature | |
Get-AuthenticodeSignature | |
#> | |
[CmdletBinding()] | |
param | |
( | |
[Parameter(Position = 1)] | |
[Alias("SubjectAlternativeName","SAN")] | |
#Specify one or more DNS names, in a comma-separated list, to put into the subject alternative name (SAN) extension of the certificate. The first DNS name is also saved as the Subject Name, Issuer Name, and Common Name (i.e. Issued To). | |
[string[]] $DnsName = $Env:ComputerName, | |
[parameter(Mandatory = $True, | |
Position = 0, | |
HelpMessage = "Specify the name of the .cer file to export the self-signed code signing certificate to.")] | |
[string] $FileName | |
) | |
#Create the self-signed code signing certificate that will be used to sign powershell scripts. | |
Write-Verbose "Creating the self-signed code signing certificate." | |
$CSCert = New-SelfSignedCertificate -DnsName $DnsName -CertStoreLocation "Cert:\currentuser\My" -Type CodeSigningCert | |
#Export the certificate to the specified location/file. | |
Write-Verbose "Exporting the certificate." | |
Export-Certificate -Cert $CSCert -FilePath $FileName | |
Write-Verbose "Export complete." | |
#Import the certificate into the Trusted Root Certification Authorities store for the current user (i.e. Cert:\CurrentUser\Root) | |
Write-Verbose "Importing the certificate from $FileName into the Trusted Root Certification Authorities store for the current user (i.e. Cert:\CurrentUser\Root)." | |
Import-Certificate -FilePath $FileName -CertStoreLocation "Cert:CurrentUser\Root" | |
Write-Verbose "Import complete." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
THANK YOU!!!
I have been struggling with this all day. My primary skills are Linux and macOS; modern Windows SDK is a frustrating hill to climb. Oh man I am very glad you posted this.