Link to home
Start Free TrialLog in
Avatar of ee_lcpaa
ee_lcpaa

asked on

Powershell script signing with a personal certificate created by makercert

Hi all,

I use a tool called "makecert" to make a root certificate and a personal certificate as follows:

Root Cert: makecert -n "CN=ROOT CERTIFICATE" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root

Then I tried to create a perosnal cert. to be used for signing a power shell script

Personal Cert: makecert -n "CN=PERSONAL CERTIFICATE" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer -sv personal.cer


When I tried to use sign a powershell script by uisng the newly created certificate, I got this error

********************************************************************************
PS C:\temp> Set-AuthenticodeSignature 1.ps1 @(get-childitem cert:\CurrentUser\My
)[0]

Set-AuthenticodeSignature : Cannot sign code. The specified certificate is not
suitable for code signing.
********************************************************************************


I have a query  if it is mandatory to embed the private key inside the personal certificate.

I could sign my powershell script if I do not save the private key file when making a personal certificate as follows:

"makecert -n "CN=PERSONAL CERTIFICATE" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer"  
(with the -sv optio removed).

Please clarify. Thanks a lot.
ASKER CERTIFIED SOLUTION
Avatar of Beartlaoi
Beartlaoi
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Chris Dent
Make sure the certificate really has the code signing EKU on it perhaps?
(@(get-childitem cert:\CurrentUser\My
)[0]).Extensions['2.5.29.37'].EnhancedKeyUsages

Open in new window

You'll need the private key to sign, so also check for the "HasPrivateKey" property on the certificate. You won't need anyone else to have the private key (unless you also wish them to sign using that certificate).

You know you can probably get much the same result using certreq if you add the Code Signing EKU into the information file when you create the certificate.

Ultimately as long as you can publish your key chain into the right places I see no problem with your approach here.

Chris