ee_lcpaa
asked on
Powershell script signing with a personal certificate created by makercert
Hi all,
I use a tool called "makecert" to make a root certificate and a personal certificate as follows:
Root Cert: makecert -n "CN=ROOT CERTIFICATE" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root
Then I tried to create a perosnal cert. to be used for signing a power shell script
Personal Cert: makecert -n "CN=PERSONAL CERTIFICATE" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer -sv personal.cer
When I tried to use sign a powershell script by uisng the newly created certificate, I got this error
************************** ********** ********** ********** ********** ********** ****
PS C:\temp> Set-AuthenticodeSignature 1.ps1 @(get-childitem cert:\CurrentUser\My
)[0]
Set-AuthenticodeSignature : Cannot sign code. The specified certificate is not
suitable for code signing.
************************** ********** ********** ********** ********** ********** ****
I have a query if it is mandatory to embed the private key inside the personal certificate.
I could sign my powershell script if I do not save the private key file when making a personal certificate as follows:
"makecert -n "CN=PERSONAL CERTIFICATE" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer"
(with the -sv optio removed).
Please clarify. Thanks a lot.
I use a tool called "makecert" to make a root certificate and a personal certificate as follows:
Root Cert: makecert -n "CN=ROOT CERTIFICATE" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root
Then I tried to create a perosnal cert. to be used for signing a power shell script
Personal Cert: makecert -n "CN=PERSONAL CERTIFICATE" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer -sv personal.cer
When I tried to use sign a powershell script by uisng the newly created certificate, I got this error
**************************
PS C:\temp> Set-AuthenticodeSignature 1.ps1 @(get-childitem cert:\CurrentUser\My
)[0]
Set-AuthenticodeSignature : Cannot sign code. The specified certificate is not
suitable for code signing.
**************************
I have a query if it is mandatory to embed the private key inside the personal certificate.
I could sign my powershell script if I do not save the private key file when making a personal certificate as follows:
"makecert -n "CN=PERSONAL CERTIFICATE" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer"
(with the -sv optio removed).
Please clarify. Thanks a lot.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Open in new window
You'll need the private key to sign, so also check for the "HasPrivateKey" property on the certificate. You won't need anyone else to have the private key (unless you also wish them to sign using that certificate).You know you can probably get much the same result using certreq if you add the Code Signing EKU into the information file when you create the certificate.
Ultimately as long as you can publish your key chain into the right places I see no problem with your approach here.
Chris