using self-signed cert between 2 hosts but get certificate chain error

This topic contains 2 replies, has 2 voices, and was last updated by  john johnson 1 month ago.

  • Author
    Posts
  • #77661

    john johnson
    Participant

    I'm new to certs, but i have been following this guide, using makecert.exe of course.

    https://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html

    with the guide i have successfully created a certificate under "certificates – current user\trusted root certification authorities"
    and under "certificates – current user\Personal\Certificates".. i then used the following to sign my script successfully and was able to execute it as a signed script on the win2012R2 server i created the cert on, that had execution policy set to "Allsigned"

    Get-ChildItem cert:\CurrentUser\My -codesign
    Set-AuthenticodeSignature "C:\Users\admin\Desktop\test.ps1" @(Get-ChildItem cert:\CurrentUser\My -codesign)[0]
    

    i then followed the same guide and exported the .cer from "certificates – current user\trusted root certification authorities" and copy it over to another windows 7 host. attempted to import the .cer file with no issues at all. execution policy set to "Allsigned" over here as well.

    when i copy the test.ps1 that is signed over tot he win7 host and try and execute it i get the following error:

    File C:\Users\admin\Desktop\test.ps1 cannot be
    loaded. A certificate chain could not be built to a trusted root authority.
        + CategoryInfo          : SecurityError: (:) [], ParentContainsErrorRecord
       Exception
        + FullyQualifiedErrorId : UnauthorizedAccess
    

    Am i missing something here or is there a better method for me to create my own cert , sign my own ps1 scripts, and move both to another host windows 7 and have the signed script run there? any help or suggestions appreciated.

  • #77703

    Liam Kemp
    Participant

    Hi John,
    Have you verified that the root certificate was actually imported to Trusted Root?
    I find that I often have to specify the specific store, rather than trusting windows to figure it out based on the certificate.

    Liam

  • #77974

    john johnson
    Participant

    i have been bouncing between other things, i went to re-visit this, and now i can't even execute my script on the win2012r2 server where i originally created the cert WITHOUT getting prompted to V run never/D do not run / R run once / A always run . i think i might have had pshell set to unrestricted before when testing. below is results of testing for the cert and my ps1 file that was signed. again i checked and my cert is visible in "certificates-current user\Trusted Root Certification Authorities\Certificates" also in "certificates-current user\Personal Certificates", and "Certificates (local computer)\Trusted Root Certification Authorities\Certificates"... i thought if i had a cert locally setup fine, then signed it appropriately as i mentioned , then with Execution-Policy set to AllSigned, i shouldn't get prompted like i am above to choose a run method ? i know when i set execution-policy to Remotesigned, my signed script runs and i don't get the prompt.

    PS C:\Users\admin> dir Cert:\CurrentUser\My -CodeSigningCert
    
        Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
    
    Thumbprint                                Subject
    
    ----------                                -------
    
    3F27C85388B304DAE8C198333A3D7D281EB70935  CN=get_test PowerShell
    
    
    PS C:\Users\admin> Get-AuthenticodeSignature C:\Users\admin\Desktop\test\test.ps1 | ft -AutoSize
    
        Directory: C:\Users\admin\Desktop\test
    
    SignerCertificate                        Status Path
    
    -----------------                        ------ ----
    
    3F27C85388B304DAE8C198333A3D7D281EB70935 Valid  test.ps1
    

You must be logged in to reply to this topic.