February 8, 2018 at 2:50 pm #93268
Absolute newbee here and pumped up after watching an old course on MVA with Jeffrey Snover and Jason Helmick.
I'm trying to get my scripts to execute. The scripts were all working fine, the execution policy is set to remote signed and yesterday, I swear all was working fine. Today however I can't run the scripts. I tried the unblock-file and the block is gone. However, it's not working so I decided that having a selfsigned cert might help.
So I used the get-help command and came up with the following lines. If you could point me in the right direction or give me some advice I'd be very grateful.
New-SelfSignedCertificate -FriendlyName "CodesigningCertificate" -Type Custom -KeyAlgorithm RSA -KeyLength 2048 -KeyUsage CertSign -CertStoreLocation "cert:\localmachine\my" -subject "Christian Held"
I wanted to create the cert under cert:\localmachine\my
Then I tried this:
PS C:\scripts\my_scripts> $Mycert = dir Cert:\LocalMachine\My\4A5CEDDBE853388EF77184570B5C45D9A9807C7D PS C:\scripts\my_scripts> Set-AuthenticodeSignature .\get_latest_10_eventlog.ps1 -Certificate $Mycert
February 8, 2018 at 7:08 pm #93313
I think you're down a bit of a rabbit hole. If the scripts aren't running – what DOES happen? Do you get an error message, or does just literally nothing occur?
Self-signed certificates are the devil's testicles. Let's not play with them. They're not going to help, anyway.
February 9, 2018 at 9:17 am #93342
Hi Don / postanote
I honestly don't know what was up yesterday. I only tried my script np.ps1 which contained a simple set-alias command for notepad. I found that file to be empty and it said software was blocked. Unfortunately I didn't do a set-transcript to log it all.
But the fact is that after I populated the then empty???? np.ps1 file it worked! And as a matter of fact all other scripts are working fine too now without me having done anything else?
I used the command to unblock all files which I found during the MVA video yesterday and was shocked that powershell complained about the scripts not being able to run despite having set the policy to remote signed.
Fact is I can't tell you why it was doing that as all other scripts from the MVA course workied yesterday too. With certificates I think it's right with the rabbit hole. But I love going down that root. It should work since makecert apparently is deprecated and new-selfsignedcertificate is now supposed to be used.
I really want to do it for a local machine (and I think I don't necessarily) have to provide domain info since I don't have an AD CA set up. There must be a way that it works. After all this is a new way of doing it and I'd expect it to work. So some more testing from my side and digging will be made.
Postanote, I'll check your command and see if that works for me.
Again thanks again for your quick and friendly answers.
February 8, 2018 at 10:44 pm #93334
You can create a SSC anywhere and just import it into the user or computer store.
You can do this on the fly, using the same cmdlet, but you need to specify it.
Quickly generate, install, and export Self-Signed Certificate in PowerShell on Windows 8.1/2012R2
Self-Signed Certificate can be used widely in test, development, Local Web or Cloud Web Sites. This article will introduce a method to quickly generate Self-Signed Certificate, automatically export private key, and install the cert under LocalMachine\My and LocalMachine\Root on Win8.1 and Win2012.
Self-signed certificate generator (PowerShell)
This script is an enhanced open-source PowerShell implementation of deprecated makecert.exe tool and utilizes the most modern certificate API — CertEnroll.
Creates a self-signed SSL certificate with multiple subject names and saves it to a file. Additionally, the certificate is saved in the Personal store of the Local Machine store. Private key is marked as exportable, so you can export the certificate with a associated private key to a file at any time. The certificate includes SMIME capabilities:
New-SelfsignedCertificateEx -Subject "CN=www.domain.com" -EKU "Server Authentication", "Client authentication" ` -KeyUsage "KeyEncipherment, DigitalSignature" -SAN "sub.domain.com","www.domain.com","192.168.1.1" ` -AllowSMIME -Path C:\test\ssl.pfx -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Exportable ` -StoreLocation "LocalMachine"
You must be logged in to reply to this topic.