Create Code Signing Certificate on Windows for signing PowerShell scripts

windows powershell openssl certificate
22,248

There is no need in OpenSSL on Windows. On Windows 7, you can use my own PowerShell script I published on TechNet Script Gallery: Self-signed certificate generator (PowerShell). The usage can be something like this:

New-SelfsignedCertificateEx -Subject "CN=Test Code Signing" `
-EKU "Code Signing" `
-KeySpec "Signature" `
-KeyUsage "DigitalSignature" `
-FriendlyName "Test code signing" `
-NotAfter $([datetime]::now.AddYears(5))

(very first example).

Starting with Windows 8, you can use built-in certreq.exe tool to generate the certificate. Create INF file with cert configuration, for example:

[NewRequest]
Subject = "CN=Test Code Signing"
KeyLength = 2048
KeyAlgorithm = RSA
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
MachineKeySet = false
Exportable = true
KeySpec = 2
KeyUsage = 0x80
RequestType = Cert
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.3 ; Code signing

and then run the following command:

Certreq –new path\inffilename.inf

This will generate and install the certificate to current user's certificate store.

Starting with Windows 10, you can use built-in PowerShell cmdlet as follows:

New-SelfSignedCertificate -CertStoreLocation cert:\currentuser\my `
-Subject "CN=Test Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
-KeyExportPolicy Exportable `
-KeyUsage DigitalSignature `
-Type CodeSigningCert

However, self-signed certificate usage for code signing in production environments is discouraged. You should use them in test environments only.

For private usage (within the organization only), you should check if company already owns PKI infrastructure and contact appropriate personnel to receive company-approved code signing certificate.

For public scripts (you are going to distribute along with software packages, or deliver scripts to your customers), I would suggest to purchase code signing from globally trusted commercial CA provider.

Share:
22,248

Related videos on Youtube

Admin
Author by

Admin

Updated on September 18, 2022

Comments

  • Admin
    Admin over 1 year

    According to this guide I tried to create a certificate for signing PowerShell scripts:

    CD C:\OpenSSL-Win32\bin
REM Create the key for the Certificate Authority.  2048 is the bit encryptiong, you can set it whatever you want
openssl genrsa -out C:\Test\ca.key 2048
openssl req -config C:\OpenSSL-Win32\bin\openssl.cfg -new -x509 -days 1826 -key C:\Test\ca.key -out C:\Test\ca.crt
REM Now I'm creating the private key that will be for the actual code signing cert
openssl genrsa -out C:\Test\codesign.key 2048
openssl req -config C:\OpenSSL-Win32\bin\openssl.cfg -new -key C:\Test\codesign.key -reqexts v3_req -out C:\Test\codesign.csr
openssl x509 -req -days 1826 -in C:\Test\codesign.csr -CA C:\Test\ca.crt -CAkey C:\Test\ca.key -extfile C:\OpenSSL-Win32\bin\cnf\opensslTest.cnf -set_serial 01 -out C:\Test\codesign.crt
openssl pkcs12 -export -out C:\Test\codesign.pfx -inkey C:\Test\codesign.key -in C:\Test\codesign.crt

    The following error occurs:

    C:\OpenSSL-Win32\bin>openssl x509 -req -days 1826 -in C:\Test\codesign.csr -CA C:\Test\ca.crt -CAkey C:\Test\ca.key -extfile C:\OpenSSL-Win32\bin\cnf\openssl.cnf -set_serial 01 -out C:\Test\codesign.crt
Error Loading extension section default
14516:error:22097082:X509 V3 routines:do_ext_nconf:unknown extension name:crypto\x509v3\v3_conf.c:78:
14516:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto\x509v3\v3_conf.c:47:name=HOME, value=.

    I used OpenSSL v1.1.0c. Every other guide I found creates certificates that are not usable for code signing.

  • dave_thompson_085
    dave_thompson_085 over 7 years
    I think you lost a linebreak on the INF file.
  • Kraang Prime
    Kraang Prime about 6 years
    "Globally trusted commercial CA provider" - is difficult to ascertain whether said entity (if you find one) remains in trust for the duration of your cert, and/or if there will be anyone left after to sign one for you.
  • S. Melted
    S. Melted over 3 years
    Following your "Starting with windows 10..." cmdlet, I got an "unknown error" trying to sign code. Exporting then importing the new cert cleared this up as mentioned here: github.com/PowerShell/PowerShell/issues/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Generating an RSA key pair in powershell
Self Signed Certificate in Windows without makecert?
Managing LetsEncrypt Certificate expiration and auto-renewals
ssh on windows - Corrupted MAC on input
Extract private key from pfx file or certificate store WITHOUT using OpenSSL on Windows
OpenSSL: PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
Flutter stuck on 'flutter' command - no output to console and it doesn't ever finish
How to list all openssl ciphers available in statically linked python releases?
Windows 2008R2 CA & OpenSSL CSR: Error parsing CSR ASN1 bad value met
libcrypto equivalent missing on Windows