Cannot add digital signature to my script

This topic contains 6 replies, has 4 voices, and was last updated by Profile photo of Gerard Ashton Gerard Ashton 9 months, 1 week ago.

  • Author
  • #27859
    Profile photo of Toni Kuzmanovski
    Toni Kuzmanovski

    Hi everyone. I have a problem with adding digital signature to my script. I cannot figure what am I doing wrong.

    This are the steps that I did:

    – First I have created self-signed certificate:
    PS New-SelfSignedCertificate -DnsName test -CertStoreLocation Cert:\CurrentUser\My

    – Second I added certificate to variable:
    PS $cert = Get-Item Cert:\CurrentUser\My\7EEEB8FD2421BA55E0F0D6BEE6EF5FB03A3CF2E1

    – Third I try to add certificate to the script
    PS Set-AuthenticodeSignature -FilePath C:\test.ps1 -Certificate $cert

    And I get following error:

    Set-AuthenticodeSignature : Cannot sign code. The specified certificate is not suitable for code signing.
    At line:1 char:1
    + Set-AuthenticodeSignature -FilePath C:\test.ps1 -Certificate ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Set-AuthenticodeSignature], PSArgumentException
    + FullyQualifiedErrorId : Argument,Microsoft.PowerShell.Commands.SetAuthenticodeSignatureCommand

    Can someone help?

  • #27861
    Profile photo of Richard Siddaway
    Richard Siddaway

    if you try this

    ls Cert:\CurrentUser\My -CodeSigningCert

    you won't see any result expect

    Which means that New-SelfSignedCertificate doesn't appear to create a cert you can use to sign code. Which is odd as the documentation in the help file leads you to belive yo can

    I'll dig a bit more

  • #27867
    Profile photo of Martin Nielsen
    Martin Nielsen

    Unfortunately New-SelfSignedCertificate is a very watered down cmdlet that does not support creating code signing certificates.

    You have three options:

    1) Buy a proper code signing certificate
    2) Use the makecert.exe tool – (this guide is more indepth than just creating the certificate, but you should be able to extract the necessary information)
    3) Install the Active Directory Certificate Services role on a Windows Server VM and issue yourself a code signing certificate

  • #27879
    Profile photo of Richard Siddaway
    Richard Siddaway

    There are instructions on using makecert to generate a self signed code signing cert in the about_signing help file

  • #27883
    Profile photo of Richard Siddaway
    Richard Siddaway

    You can get the makecert utility for Windows 8.1 from

    You'll find it in
    C:\Program Files (x86)\Windows Kits\8.1\bin\x64

    C:\Program Files (x86)\Windows Kits\8.1\bin\x86

  • #27902
    Profile photo of Toni Kuzmanovski
    Toni Kuzmanovski

    Thanks everyone for the help.

  • #33967
    Profile photo of Gerard Ashton
    Gerard Ashton

    I'm brand new at this stuff, so creating a code signing certificate for experimentation was one of the first things I had to do; I just figured this out today. Here is the command I gave, except I have faked my email address:

    First, in PowerShell, navigate to cert:\Currentuser\My

    Then give this command:

    CurrentUser\my> New-SelfSignedCertificate -Subject "E=ga@nowhere.invalid,CN=Gerard Ashton" -TextExtension @("{text}")

    In the TextExtension property, means Enhanced Key Usage, and means code signing.

    One area I will need to explore is how hard it would be for just anyone to use this certificate; I have a feeling I should be doing more to secure it. Use this technique with due caution.

    Followup: once you create the certificate, you need to trust it. Navigate to Control Panel and type "certificate" in the search window. Then choose Manage User Certificates. Then go into the "Trusted Root Certification Authorities" and import the certificate you just created. You will find it in


    When you are trying to import it, be sure the file extension is set to *.* all files, because this file doesn't have any extension.

You must be logged in to reply to this topic.