If you’d like to digitally sign your scripts, the first thing you need is a digital certificate with the designated purpose set to “Code Signing”. To play, you can easily create your own free self-signed certificates. Don’t expect anyone else to trust them, as anyone can create them. They are a great way to test-drive code signing.
Beginning in PowerShell 4, the cmdlet New-SelfSignedCertificate can create code signing certificates for you. The code below creates a PFX file that contains both the private and public key:
#requires -Version 5 # this is where the cert file will be saved $Path = "$env:temp\codeSignCert.pfx" # you'll need this password to load the PFX file later $Password = Read-Host -Prompt 'Enter new password to protect certificate' -AsSecureString # create cert, export to file, then delete again $cert = New-SelfSignedCertificate -KeyUsage DigitalSignature -KeySpec Signature -FriendlyName 'IT Sec Department' -Subject CN=SecurityDepartment -KeyExportPolicy ExportableEncrypted -CertStoreLocation Cert:\CurrentUser\My -NotAfter (Get-Date).AddYears(5) -TextExtension @('2.5.29.37={text}1.3.6.1.5.5.7.3.3') $cert | Export-PfxCertificate -Password $Password -FilePath $Path $cert | Remove-Item
In the upcoming tips, we’ll take a look at what you can do with the newly created certificate.
