August 18, 2017 at 11:55 pm #77661
I'm new to certs, but i have been following this guide, using makecert.exe of course.
with the guide i have successfully created a certificate under "certificates – current user\trusted root certification authorities"
and under "certificates – current user\Personal\Certificates".. i then used the following to sign my script successfully and was able to execute it as a signed script on the win2012R2 server i created the cert on, that had execution policy set to "Allsigned"
Get-ChildItem cert:\CurrentUser\My -codesign Set-AuthenticodeSignature "C:\Users\admin\Desktop\test.ps1" @(Get-ChildItem cert:\CurrentUser\My -codesign)
i then followed the same guide and exported the .cer from "certificates – current user\trusted root certification authorities" and copy it over to another windows 7 host. attempted to import the .cer file with no issues at all. execution policy set to "Allsigned" over here as well.
when i copy the test.ps1 that is signed over tot he win7 host and try and execute it i get the following error:
File C:\Users\admin\Desktop\test.ps1 cannot be loaded. A certificate chain could not be built to a trusted root authority. + CategoryInfo : SecurityError: (:) , ParentContainsErrorRecord Exception + FullyQualifiedErrorId : UnauthorizedAccess
Am i missing something here or is there a better method for me to create my own cert , sign my own ps1 scripts, and move both to another host windows 7 and have the signed script run there? any help or suggestions appreciated.
August 21, 2017 at 1:16 am #77703
Have you verified that the root certificate was actually imported to Trusted Root?
I find that I often have to specify the specific store, rather than trusting windows to figure it out based on the certificate.
August 23, 2017 at 6:57 pm #77974
i have been bouncing between other things, i went to re-visit this, and now i can't even execute my script on the win2012r2 server where i originally created the cert WITHOUT getting prompted to V run never/D do not run / R run once / A always run . i think i might have had pshell set to unrestricted before when testing. below is results of testing for the cert and my ps1 file that was signed. again i checked and my cert is visible in "certificates-current user\Trusted Root Certification Authorities\Certificates" also in "certificates-current user\Personal Certificates", and "Certificates (local computer)\Trusted Root Certification Authorities\Certificates"... i thought if i had a cert locally setup fine, then signed it appropriately as i mentioned , then with Execution-Policy set to AllSigned, i shouldn't get prompted like i am above to choose a run method ? i know when i set execution-policy to Remotesigned, my signed script runs and i don't get the prompt.
PS C:\Users\admin> dir Cert:\CurrentUser\My -CodeSigningCert Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My Thumbprint Subject ---------- ------- 3F27C85388B304DAE8C198333A3D7D281EB70935 CN=get_test PowerShell PS C:\Users\admin> Get-AuthenticodeSignature C:\Users\admin\Desktop\test\test.ps1 | ft -AutoSize Directory: C:\Users\admin\Desktop\test SignerCertificate Status Path ----------------- ------ ---- 3F27C85388B304DAE8C198333A3D7D281EB70935 Valid test.ps1
You must be logged in to reply to this topic.