Cannot add digital signature to my script

Welcome Forums General PowerShell Q&A Cannot add digital signature to my script

This topic contains 6 replies, has 4 voices, and was last updated by

3 years, 2 months ago.

  • Author
  • #27859

    Points: 0
    Rank: Member

    Hi everyone. I have a problem with adding digital signature to my script. I cannot figure what am I doing wrong.

    This are the steps that I did:

    – First I have created self-signed certificate:
    PS New-SelfSignedCertificate -DnsName test -CertStoreLocation Cert:\CurrentUser\My

    – Second I added certificate to variable:
    PS $cert = Get-Item Cert:\CurrentUser\My\7EEEB8FD2421BA55E0F0D6BEE6EF5FB03A3CF2E1

    – Third I try to add certificate to the script
    PS Set-AuthenticodeSignature -FilePath C:\test.ps1 -Certificate $cert

    And I get following error:

    Set-AuthenticodeSignature : Cannot sign code. The specified certificate is not suitable for code signing.
    At line:1 char:1
    + Set-AuthenticodeSignature -FilePath C:\test.ps1 -Certificate ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Set-AuthenticodeSignature], PSArgumentException
    + FullyQualifiedErrorId : Argument,Microsoft.PowerShell.Commands.SetAuthenticodeSignatureCommand

    Can someone help?

  • #27861

    Points: 0
    Rank: Member

    if you try this

    ls Cert:\CurrentUser\My -CodeSigningCert

    you won't see any result expect

    Which means that New-SelfSignedCertificate doesn't appear to create a cert you can use to sign code. Which is odd as the documentation in the help file leads you to belive yo can

    I'll dig a bit more

  • #27867

    Points: 0
    Rank: Member

    Unfortunately New-SelfSignedCertificate is a very watered down cmdlet that does not support creating code signing certificates.

    You have three options:

    1) Buy a proper code signing certificate
    2) Use the makecert.exe tool – (this guide is more indepth than just creating the certificate, but you should be able to extract the necessary information)
    3) Install the Active Directory Certificate Services role on a Windows Server VM and issue yourself a code signing certificate

  • #27879

    Points: 0
    Rank: Member

    There are instructions on using makecert to generate a self signed code signing cert in the about_signing help file

  • #27883

    Points: 0
    Rank: Member

    You can get the makecert utility for Windows 8.1 from

    You'll find it in
    C:\Program Files (x86)\Windows Kits\8.1\bin\x64

    C:\Program Files (x86)\Windows Kits\8.1\bin\x86

  • #27902

    Points: 0
    Rank: Member

    Thanks everyone for the help.

  • #33967

    Points: 0
    Rank: Member

    I'm brand new at this stuff, so creating a code signing certificate for experimentation was one of the first things I had to do; I just figured this out today. Here is the command I gave, except I have faked my email address:

    First, in PowerShell, navigate to cert:\Currentuser\My

    Then give this command:

    CurrentUser\my> New-SelfSignedCertificate -Subject "E=ga@nowhere.invalid,CN=Gerard Ashton" -TextExtension @("{text}")

    In the TextExtension property, means Enhanced Key Usage, and means code signing.

    One area I will need to explore is how hard it would be for just anyone to use this certificate; I have a feeling I should be doing more to secure it. Use this technique with due caution.

    Followup: once you create the certificate, you need to trust it. Navigate to Control Panel and type "certificate" in the search window. Then choose Manage User Certificates. Then go into the "Trusted Root Certification Authorities" and import the certificate you just created. You will find it in


    When you are trying to import it, be sure the file extension is set to *.* all files, because this file doesn't have any extension.

The topic ‘Cannot add digital signature to my script’ is closed to new replies.

One thought on “Cannot add digital signature to my script

  1. Pingback: Self signed certificates for testing | Richard Siddaway's Blog

Comments are closed.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort