Code-Signing Mini-Series (Part 1: Creating Certs)

by Nov 28, 2018

To play with digital signatures, and discover how you can sign scripts and modules, you first need a code-signing certificate. If you can’t get one from your corporate IT, PowerShell can create one for you (provided you are using Windows 10 or Server 2016).

We wrapped the details in an easy-to-use function called New-CodeSigningCert which can create new code-signing certs in your personal certificate store, or also return the newly created certificates as pfx files.

function New-CodeSigningCert { [CmdletBinding(DefaultParametersetName="__AllParameterSets")] param ( [Parameter(Mandatory)] [String] $FriendlyName, [Parameter(Mandatory)] [String] $Name, [Parameter(Mandatory,ParameterSetName="Export")] [SecureString] $Password, [Parameter(Mandatory,ParameterSetName="Export")] [String] $FilePath, [Switch] $Trusted ) $cert = New-SelfSignedCertificate -KeyUsage DigitalSignature -KeySpec Signature -FriendlyName $FriendlyName -Subject "CN=$Name" -KeyExportPolicy ExportableEncrypted -CertStoreLocation Cert:\CurrentUser\My -NotAfter (Get-Date).AddYears(5) -TextExtension @('2.5.29.37={text}1.3.6.1.5.5.7.3.3') if ($Trusted) { $Store = New-Object system.security.cryptography.X509Certificates.x509Store("Root", "CurrentUser") $Store.Open("ReadWrite") $Store.Add($cert) $Store.Close() } $parameterSet = $PSCmdlet.ParameterSetName.ToLower() if ($parameterSet -eq "export") { $cert | Export-PfxCertificate -Password $Password -FilePath $FilePath $cert | Remove-Item explorer.exe /select,$FilePath } else { $cert } }

Here is how you create a code-signing certificate as pfx file:

 PS> New-CodeSigningCert -FriendlyName 'Tobias Code-Signing Test Cert' -Name TobiasCS -FilePath "$home\desktop\myCert.pfx"

You will be prompted for a password that is used to protect the pfx file. Remember the password, you’ll need it when you import the pfx file later.

And here is how you create a code-signing certificate in your personal certificate store:

 PS> New-CodeSigningCert -FriendlyName 'Tobias Code-Signing Test Cert' -Name TobiasCS -Trusted

With this call, your certificate now resides on your cert: drive, and you can view it like so:

 PS C:\> dir Cert:\CurrentUser\my

Likewise, you can manage it by opening your certificate store:

 PS C:\> certmgr.msc

Join us in the following tips to see what you now can do with your code-signing cert!

Note that self-signed certificates are not considered trustworthy unless they are copied to the container for trusted root authorities. This is done automatically for you when you use the –Trusted switch parameter.

Twitter This Tip! ReTweet this Tip!