CA and Code Signing Scripts in PS Core 6.1

This topic contains 2 replies, has 2 voices, and was last updated by  dynamik speed 2 weeks, 6 days ago.

  • Author
    Posts
  • #103139

    dynamik speed
    Participant

    Hi,

    I have installed PS Core 6.1 on a new install of Win10. I want to know the correct way to install a cert and sign scripts that i download.
    What are the best practices in Test and Production?
    I have had a look around the internet and some places say to use makecert.exe but then it says it has been deprecated and to use the PS Cmdlet New-SelfSignedCertificate but this does not work in PS Core 6.1? Do I need to import this or is there a better way? I also have a Windows Domain environment.

  • #103196

    postanote
    Participant

    If you are on a Windows box, PS Win and PSCore (PSv6) are installed side-by-side. This is by design as they are two different things. So, you'd use PSWIn for all things PSCode can't do, and use PSCore for all the things it does and or does better than PSWin.

    Why are you looking to use a self-signed cert, especially if this is an enterprise operational thing, vs a domain CA issued cert?
    The New-SelefSignedCertificate cmdlet is simply not available on PSv6. Not all cmdlets are available across all versions of PS. Some are even only available on certain OS versions, even on Windows.

    Makecert.exe works just fine, depreciated or not and makecert.exe is avaialbe on PS6 installs as long as you have it on your system.

    PowerShell v6.0.2
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    https://aka.ms/pscore6-docs
    Type 'help' to get help.
    
    PS C:\Program Files\PowerShell\6.0.2> Get-Command -Name '*cert*'
    
    CommandType     Name                                               Version    Source
    -----------     ----                                               -------    ------
    Cmdlet          Get-PfxCertificate                                 3.0.0.0    Microsoft.PowerShell.Security
    Application     appidcertstorecheck.exe                            10.0.17... C:\WINDOWS\system32\appidcertstorecheck.exe
    Application     CertEnrollCtrl.exe                                 10.0.17... C:\WINDOWS\system32\CertEnrollCtrl.exe
    Application     certlm.msc                                         0.0.0.0    C:\WINDOWS\system32\certlm.msc
    Application     certmgr.msc                                        0.0.0.0    C:\WINDOWS\system32\certmgr.msc
    Application     certreq.exe                                        10.0.17... C:\WINDOWS\system32\certreq.exe
    Application     certutil.exe                                       10.0.17... C:\WINDOWS\system32\certutil.exe
    Application     dmcertinst.exe                                     10.0.17... C:\WINDOWS\system32\dmcertinst.exe
    Application     makecert.exe                                       6.1.760... C:\Users\Daniel\AppData\Local\Programs\Fiddler\makecert.exe
    Application     TRACERT.EXE                                        10.0.17... C:\WINDOWS\system32\TRACERT.EXE
    Application     TrustCert.exe                                      1.0.5.0    C:\Users\Daniel\AppData\Local\Programs\Fiddler\TrustCert.exe
    

    Importing a cert, is just a matter of adding it to the user certificate store for use.
    So, you do that manually via the MMC or certutil.exe or the Import-* cmdlets via PSWin.

     Get-Command -Name '*import*cert*'
    
    CommandType     Name                                               Version    Source
    -----------     ----                                               -------    ------
    Cmdlet          Import-ACMCertificate                              3.3.234.0  AWSPowerShell
    Cmdlet          Import-AzureKeyVaultCertificate                    4.1.0      AzureRM.KeyVault
    Cmdlet          Import-AzureRmApiManagementHostnameCertificate     5.1.0      AzureRM.ApiManagement
    Cmdlet          Import-Certificate                                 1.0.0.0    PKI
    Cmdlet          Import-DMSCertificate                              3.3.234.0  AWSPowerShell
    Cmdlet          Import-PfxCertificate                              1.0.0.0    PKI
    

    Then you have the pre-made script via the MS TechNet and the MS powershellgallery.com

    Self-signed certificate generator (PowerShell)

    This script is an enhanced open-source PowerShell implementation of deprecated makecert.exe tool and utilizes the most modern certificate API — CertEnroll

    'gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6'

    Carbon 2.5.4

    Carbon is a PowerShell module for automating the configuration Windows 7, 8, 2008, and 2012 and automation the installation and configuration of Windows applications, websites, and services. It can configure and manage:

    Get-Certificate
    Get-CertificateStore
    Install-Certificate
    Uninstall-Certificate

    'powershellgallery.com/packages/Carbon/2.5.4'

    Signing PowerShell Scripts (Self-Signed)

    'hanselman.com/blog/SigningPowerShellScripts.aspx'

    Hey, Scripting Guy! How Can I Sign Windows PowerShell Scripts with an Enterprise Windows PKI?

    'blogs.technet.microsoft.com/heyscriptingguy/2010/06/16/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-1-of-2'

    'blogs.technet.microsoft.com/heyscriptingguy/2010/06/17/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-2-of-2'

  • #103541

    dynamik speed
    Participant

    Thanks for clarifying this.
    I wanted to use the self signed cert in a test environment.
    I also use Linux. Powershell has automatically upgraded to PS Core so how can i run PS Standard on linux?

You must be logged in to reply to this topic.