Create Code Signing Certificate on Windows for signing PowerShell scripts
There is no need in OpenSSL on Windows. On Windows 7, you can use my own PowerShell script I published on TechNet Script Gallery: Self-signed certificate generator (PowerShell). The usage can be something like this:
New-SelfsignedCertificateEx -Subject "CN=Test Code Signing" `
-EKU "Code Signing" `
-KeySpec "Signature" `
-KeyUsage "DigitalSignature" `
-FriendlyName "Test code signing" `
-NotAfter $([datetime]::now.AddYears(5))
(very first example).
Starting with Windows 8, you can use built-in certreq.exe
tool to generate the certificate. Create INF file with cert configuration, for example:
[NewRequest]
Subject = "CN=Test Code Signing"
KeyLength = 2048
KeyAlgorithm = RSA
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
MachineKeySet = false
Exportable = true
KeySpec = 2
KeyUsage = 0x80
RequestType = Cert
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.3 ; Code signing
and then run the following command:
Certreq –new path\inffilename.inf
This will generate and install the certificate to current user's certificate store.
Starting with Windows 10, you can use built-in PowerShell cmdlet as follows:
New-SelfSignedCertificate -CertStoreLocation cert:\currentuser\my `
-Subject "CN=Test Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
-KeyExportPolicy Exportable `
-KeyUsage DigitalSignature `
-Type CodeSigningCert
However, self-signed certificate usage for code signing in production environments is discouraged. You should use them in test environments only.
For private usage (within the organization only), you should check if company already owns PKI infrastructure and contact appropriate personnel to receive company-approved code signing certificate.
For public scripts (you are going to distribute along with software packages, or deliver scripts to your customers), I would suggest to purchase code signing from globally trusted commercial CA provider.
Related videos on Youtube
Admin
Updated on September 18, 2022Comments
-
Admin over 1 year
According to this guide I tried to create a certificate for signing PowerShell scripts:
CD C:\OpenSSL-Win32\bin REM Create the key for the Certificate Authority. 2048 is the bit encryptiong, you can set it whatever you want openssl genrsa -out C:\Test\ca.key 2048 openssl req -config C:\OpenSSL-Win32\bin\openssl.cfg -new -x509 -days 1826 -key C:\Test\ca.key -out C:\Test\ca.crt REM Now I'm creating the private key that will be for the actual code signing cert openssl genrsa -out C:\Test\codesign.key 2048 openssl req -config C:\OpenSSL-Win32\bin\openssl.cfg -new -key C:\Test\codesign.key -reqexts v3_req -out C:\Test\codesign.csr openssl x509 -req -days 1826 -in C:\Test\codesign.csr -CA C:\Test\ca.crt -CAkey C:\Test\ca.key -extfile C:\OpenSSL-Win32\bin\cnf\opensslTest.cnf -set_serial 01 -out C:\Test\codesign.crt openssl pkcs12 -export -out C:\Test\codesign.pfx -inkey C:\Test\codesign.key -in C:\Test\codesign.crt
The following error occurs:
C:\OpenSSL-Win32\bin>openssl x509 -req -days 1826 -in C:\Test\codesign.csr -CA C:\Test\ca.crt -CAkey C:\Test\ca.key -extfile C:\OpenSSL-Win32\bin\cnf\openssl.cnf -set_serial 01 -out C:\Test\codesign.crt Error Loading extension section default 14516:error:22097082:X509 V3 routines:do_ext_nconf:unknown extension name:crypto\x509v3\v3_conf.c:78: 14516:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto\x509v3\v3_conf.c:47:name=HOME, value=.
I used OpenSSL v1.1.0c. Every other guide I found creates certificates that are not usable for code signing.
-
dave_thompson_085 over 7 yearsI think you lost a linebreak on the INF file.
-
Kraang Prime about 6 years"Globally trusted commercial CA provider" - is difficult to ascertain whether said entity (if you find one) remains in trust for the duration of your cert, and/or if there will be anyone left after to sign one for you.
-
S. Melted over 3 yearsFollowing your "Starting with windows 10..." cmdlet, I got an "unknown error" trying to sign code. Exporting then importing the new cert cleared this up as mentioned here: github.com/PowerShell/PowerShell/issues/…