• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 296
  • Last Modified:

Powershell script signing with a personal certificate created by makercert

Hi all,

I use a tool called "makecert" to make a root certificate and a personal certificate as follows:

Root Cert: makecert -n "CN=ROOT CERTIFICATE" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root

Then I tried to create a perosnal cert. to be used for signing a power shell script

Personal Cert: makecert -n "CN=PERSONAL CERTIFICATE" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer -sv personal.cer


When I tried to use sign a powershell script by uisng the newly created certificate, I got this error

********************************************************************************
PS C:\temp> Set-AuthenticodeSignature 1.ps1 @(get-childitem cert:\CurrentUser\My
)[0]

Set-AuthenticodeSignature : Cannot sign code. The specified certificate is not
suitable for code signing.
********************************************************************************


I have a query  if it is mandatory to embed the private key inside the personal certificate.

I could sign my powershell script if I do not save the private key file when making a personal certificate as follows:

"makecert -n "CN=PERSONAL CERTIFICATE" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer"  
(with the -sv optio removed).

Please clarify. Thanks a lot.
0
ee_lcpaa
Asked:
ee_lcpaa
1 Solution
 
BeartlaoiCommented:
That error indicates that the certificate is not marked as useable to sign code.  Certificates contain within them the things they are allowed to be used for.
Look thru this article.  http://stackoverflow.com/questions/84847/how-do-i-create-a-self-signed-certificate-for-code-signing-on-windows
This should get you through the current problem.

If you are going to sign a device driver or install package with the intent on installing onto newer Windows boxes, a self signed cert will not work without serious re-config of the target OS.  MS has made it extremely difficult to install stuff that was not signed from a major vendor.
0
 
Chris DentPowerShell DeveloperCommented:
Make sure the certificate really has the code signing EKU on it perhaps?
(@(get-childitem cert:\CurrentUser\My
)[0]).Extensions['2.5.29.37'].EnhancedKeyUsages

Open in new window

You'll need the private key to sign, so also check for the "HasPrivateKey" property on the certificate. You won't need anyone else to have the private key (unless you also wish them to sign using that certificate).

You know you can probably get much the same result using certreq if you add the Code Signing EKU into the information file when you create the certificate.

Ultimately as long as you can publish your key chain into the right places I see no problem with your approach here.

Chris
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now