Powershell script signing with a personal certificate created by makercert

Hi all,

I use a tool called "makecert" to make a root certificate and a personal certificate as follows:

Root Cert: makecert -n "CN=ROOT CERTIFICATE" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root

Then I tried to create a perosnal cert. to be used for signing a power shell script

Personal Cert: makecert -n "CN=PERSONAL CERTIFICATE" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer -sv personal.cer


When I tried to use sign a powershell script by uisng the newly created certificate, I got this error

********************************************************************************
PS C:\temp> Set-AuthenticodeSignature 1.ps1 @(get-childitem cert:\CurrentUser\My
)[0]

Set-AuthenticodeSignature : Cannot sign code. The specified certificate is not
suitable for code signing.
********************************************************************************


I have a query  if it is mandatory to embed the private key inside the personal certificate.

I could sign my powershell script if I do not save the private key file when making a personal certificate as follows:

"makecert -n "CN=PERSONAL CERTIFICATE" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer"  
(with the -sv optio removed).

Please clarify. Thanks a lot.
ee_lcpaaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BeartlaoiCommented:
That error indicates that the certificate is not marked as useable to sign code.  Certificates contain within them the things they are allowed to be used for.
Look thru this article.  http://stackoverflow.com/questions/84847/how-do-i-create-a-self-signed-certificate-for-code-signing-on-windows
This should get you through the current problem.

If you are going to sign a device driver or install package with the intent on installing onto newer Windows boxes, a self signed cert will not work without serious re-config of the target OS.  MS has made it extremely difficult to install stuff that was not signed from a major vendor.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Chris DentPowerShell DeveloperCommented:
Make sure the certificate really has the code signing EKU on it perhaps?
(@(get-childitem cert:\CurrentUser\My
)[0]).Extensions['2.5.29.37'].EnhancedKeyUsages

Open in new window

You'll need the private key to sign, so also check for the "HasPrivateKey" property on the certificate. You won't need anyone else to have the private key (unless you also wish them to sign using that certificate).

You know you can probably get much the same result using certreq if you add the Code Signing EKU into the information file when you create the certificate.

Ultimately as long as you can publish your key chain into the right places I see no problem with your approach here.

Chris
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Development

From novice to tech pro — start learning today.