Issue with new-selfsignedcertificate

Welcome Forums General PowerShell Q&A Issue with new-selfsignedcertificate

This topic contains 3 replies, has 3 voices, and was last updated by

 
Participant
9 months ago.

  • Author
    Posts
  • #93268

    Participant
    Points: 0
    Rank: Member

    Hi all,

    Absolute newbee here and pumped up after watching an old course on MVA with Jeffrey Snover and Jason Helmick.

    I'm trying to get my scripts to execute. The scripts were all working fine, the execution policy is set to remote signed and yesterday, I swear all was working fine. Today however I can't run the scripts. I tried the unblock-file and the block is gone. However, it's not working so I decided that having a selfsigned cert might help.

    So I used the get-help command and came up with the following lines. If you could point me in the right direction or give me some advice I'd be very grateful.

    New-SelfSignedCertificate -FriendlyName "CodesigningCertificate" -Type Custom -KeyAlgorithm RSA  -KeyLength 2048 -KeyUsage CertSign -CertStoreLocation "cert:\localmachine\my" -subject "Christian Held"

    I wanted to create the cert under cert:\localmachine\my

    Then I tried this:

    PS C:\scripts\my_scripts> $Mycert = dir Cert:\LocalMachine\My\4A5CEDDBE853388EF77184570B5C45D9A9807C7D
    PS C:\scripts\my_scripts> Set-AuthenticodeSignature .\get_latest_10_eventlog.ps1 -Certificate $Mycert
  • #93313

    Keymaster
    Points: 1,619
    Helping HandTeam Member
    Rank: Community Hero

    I think you're down a bit of a rabbit hole. If the scripts aren't running – what DOES happen? Do you get an error message, or does just literally nothing occur?

    Self-signed certificates are the devil's testicles. Let's not play with them. They're not going to help, anyway.

    • #93342

      Participant
      Points: 0
      Rank: Member

      Hi Don / postanote

      I honestly don't know what was up yesterday. I only tried my script np.ps1 which contained a simple set-alias command for notepad. I found that file to be empty and it said software was blocked. Unfortunately I didn't do a set-transcript to log it all.

      But the fact is that after I populated the then empty???? np.ps1 file it worked! And as a matter of fact all other scripts are working fine too now without me having done anything else?

      I used the command to unblock all files which I found during the MVA video yesterday and was shocked that powershell complained about the scripts not being able to run despite having set the policy to remote signed.

      Fact is I can't tell you why it was doing that as all other scripts from the MVA course workied yesterday too. With certificates I think it's right with the rabbit hole. But I love going down that root. It should work since makecert apparently is deprecated and new-selfsignedcertificate is now supposed to be used.

      @postanote
      I really want to do it for a local machine (and I think I don't necessarily) have to provide domain info since I don't have an AD CA set up. There must be a way that it works. After all this is a new way of doing it and I'd expect it to work. So some more testing from my side and digging will be made.

      Postanote, I'll check your command and see if that works for me.

      Again thanks again for your quick and friendly answers.

      Christian

  • #93334

    Participant
    Points: 205
    Helping Hand
    Rank: Participant

    You can create a SSC anywhere and just import it into the user or computer store.

    You can do this on the fly, using the same cmdlet, but you need to specify it.

    Quickly generate, install, and export Self-Signed Certificate in PowerShell on Windows 8.1/2012R2

    Self-Signed Certificate can be used widely in test, development, Local Web or Cloud Web Sites. This article will introduce a method to quickly generate Self-Signed Certificate, automatically export private key, and install the cert under LocalMachine\My and LocalMachine\Root on Win8.1 and Win2012.

    'blogs.msdn.microsoft.com/asiatech/2014/11/02/quickly-generate-install-and-export-self-signed-certificate-in-powershell-on-windows-8-12012r2'

    Self-signed certificate generator (PowerShell)
    Description

    This script is an enhanced open-source PowerShell implementation of deprecated makecert.exe tool and utilizes the most modern certificate API — CertEnroll.

    'gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6'

    Example:

    Creates a self-signed SSL certificate with multiple subject names and saves it to a file. Additionally, the certificate is saved in the Personal store of the Local Machine store. Private key is marked as exportable, so you can export the certificate with a associated private key to a file at any time. The certificate includes SMIME capabilities:

        
        New-SelfsignedCertificateEx -Subject "CN=www.domain.com" -EKU "Server Authentication", "Client authentication" ` 
        -KeyUsage "KeyEncipherment, DigitalSignature" -SAN "sub.domain.com","www.domain.com","192.168.1.1" ` 
        -AllowSMIME -Path C:\test\ssl.pfx -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Exportable ` 
        -StoreLocation "LocalMachine"
    

The topic ‘Issue with new-selfsignedcertificate’ is closed to new replies.