Creating New Code Signing Test Certificates

by Nov 2, 2022

PowerShell comes with a cmdlet named New-SelfSignedCertificate which can create all kinds of self-signed test certificates. However, it is not intuitive to use it to create certificates for PowerShell code signing, let alone make sure a test certificate is made trustworthy on a test machine.

That’s why here you find a function that embeds the cmdlet and makes it much easier to create code signing certificates both persistent and exportable:

function New-CodeSigningCert
{
  [CmdletBinding(DefaultParametersetName="__AllParameterSets")]
  param
  (
    [Parameter(Mandatory)]
    [String]
    $FriendlyName,
    
    [Parameter(Mandatory)]
    [String]
    $Name,
    
    [Parameter(Mandatory,ParameterSetName="Export")]
    [SecureString]
    $Password,
    
    [Parameter(Mandatory,ParameterSetName="Export")]
    [String]
    $FilePath,
    
    [Switch]
    $Trusted
  )
  
  # create new cert
  $cert = New-SelfSignedCertificate -KeyUsage DigitalSignature -KeySpec Signature -FriendlyName $FriendlyName -Subject "CN=$Name" -KeyExportPolicy ExportableEncrypted -CertStoreLocation Cert:\CurrentUser\My -NotAfter (Get-Date).AddYears(5) -TextExtension @('2.5.29.37={text}1.3.6.1.5.5.7.3.3')
  
  
  if ($Trusted)
  {
    $Store = New-Object system.security.cryptography.X509Certificates.x509Store("Root", "CurrentUser")
    $Store.Open("ReadWrite")
    $Store.Add($cert)
    $Store.Close()
  }


  $parameterSet = $PSCmdlet.ParameterSetName.ToLower()
  
  if ($parameterSet -eq "export")
  {
    # export to file
    $cert | Export-PfxCertificate -Password $Password -FilePath $FilePath
  
    $cert | Remove-Item
    explorer.exe /select,$FilePath
  }
  else
  {
    $cert
  }
}

Twitter This Tip! ReTweet this Tip!