We help IT Professionals succeed at work.

Powershell script signing with a personal certificate created by makercert

Hi all,

I use a tool called "makecert" to make a root certificate and a personal certificate as follows:

Root Cert: makecert -n "CN=ROOT CERTIFICATE" -a sha1 -eku -r -sv root.pvk root.cer -ss Root

Then I tried to create a perosnal cert. to be used for signing a power shell script

Personal Cert: makecert -n "CN=PERSONAL CERTIFICATE" -ss MY -a sha1 -eku -iv root.pvk -ic root.cer -sv personal.cer

When I tried to use sign a powershell script by uisng the newly created certificate, I got this error

PS C:\temp> Set-AuthenticodeSignature 1.ps1 @(get-childitem cert:\CurrentUser\My

Set-AuthenticodeSignature : Cannot sign code. The specified certificate is not
suitable for code signing.

I have a query  if it is mandatory to embed the private key inside the personal certificate.

I could sign my powershell script if I do not save the private key file when making a personal certificate as follows:

"makecert -n "CN=PERSONAL CERTIFICATE" -ss MY -a sha1 -eku -iv root.pvk -ic root.cer"  
(with the -sv optio removed).

Please clarify. Thanks a lot.
Watch Question

That error indicates that the certificate is not marked as useable to sign code.  Certificates contain within them the things they are allowed to be used for.
Look thru this article.  http://stackoverflow.com/questions/84847/how-do-i-create-a-self-signed-certificate-for-code-signing-on-windows
This should get you through the current problem.

If you are going to sign a device driver or install package with the intent on installing onto newer Windows boxes, a self signed cert will not work without serious re-config of the target OS.  MS has made it extremely difficult to install stuff that was not signed from a major vendor.
Chris DentPowerShell Developer
Top Expert 2010

Make sure the certificate really has the code signing EKU on it perhaps?
(@(get-childitem cert:\CurrentUser\My

Open in new window

You'll need the private key to sign, so also check for the "HasPrivateKey" property on the certificate. You won't need anyone else to have the private key (unless you also wish them to sign using that certificate).

You know you can probably get much the same result using certreq if you add the Code Signing EKU into the information file when you create the certificate.

Ultimately as long as you can publish your key chain into the right places I see no problem with your approach here.