locked
Code Signing Certificate for all admins - Best Practices? RRS feed

Answers

  • Hi,

    that is a very good point and double checked that in the lab and against several resources from Microsoft. And I wanted be sure that I give you this time the correct and complete information I ran some tests in the lab. The certificate for the digital signature of the PowerShell script must be installed in the Trusted Publishers certificate store, otherwise PowerShell will not accept it. The Root CA certificate of that certificate must also be installed in the Trusted Root Certification Authorities store. If you use a self-signed certificate it must be installed in both certificate stores. I think that is what you saw as well.

    Because your root ca certificate has already been distributed via GPO you need to add each certificate for code signing to the GPO under Trusted Publishers. Hope that helps you and sorry that my first answer was not correct.

    Regards,

    Lutz

    • Marked as answer by Casper83DK Wednesday, September 25, 2013 9:11 AM
    Wednesday, September 25, 2013 12:46 AM

All replies

  • Hi,

    as described in the article from scripting guy the certificates are issued by a certification authority. So you do not have to have to distribute the public certificate to all machines, just the root ca certificate is enough. The every admin can request a certificate for code signing from this ca and start signing his powershell certificates.

    Because the certificate is like a signature under a contract you do not want use one certificate and everyone use that. But it depends on your goals.

    to answer your questions one by one:

    - Will this mean that every admin will have to request his own personal certificate and we will have to distribute all the personal certificates to all servers through GPOs? No, every admin requests his own certificate. Only the root ca certificate needs to be distributed to all machine. In AD this will happen automatically during the CA installation as Enterprise CA/

    - Do people normally use a service account to avoid multiple certificates? It depends on your goals. If you have one cert and you have a key management etc. then might you can go with one certificate. E.g. a software company is signing all code with a corporate code signing certificate. But you do not wan t give everyone in your company the signing key. If every admin writes his own PowerShell scripts and ,for example, how want verify if the script from admin A was changed, but everyone has the signing code, you can't really verify if it was changed from admin A, B or C.

    - Can you somehow issue 1 certificate to the entire admin group for Code Signing? Yes, see your question about using a service account.

    - Or can you just distribute the Code Signing template to all servers in "Trusted Publishers" and get all issued certificates validated this way? No need for that because the trust will be established over the root CA.

    One more thing, it is very easy to overwrite the script execution policy.

    Hope that helps,

    Lutz

    • Proposed as answer by Yan Li_ Monday, September 23, 2013 5:18 AM
    Friday, September 20, 2013 11:26 PM
  • Thank you very much for your reply. I have 1 follow up question, before I mark your reply as the answer:

    We already have our Root CA certificate in the Trusted Root Certification Authorities folder on all our servers.

    When I sign the script it says that it is valid. I use these commands:

    $cert=(dir cert:currentuser\my\ -CodeSigningCert)

    Set-AuthenticodeSignature C:\Temp\Testing.ps1 $cert –TimestampServer http://timestamp.verisign.com/scripts/timstamp.dll

    However when i try to run the script it still says: "File C:\Temp\Testing.ps1 is published by CN=AdminUsername, OU=Admins, DC=domain, DC=local and is not trusted on your system. Only run scripts from trusted publishers."

    Only if I import the certificate issued to me, in the trusted publishers folder, do I get to run the script.

    Am I missing something here?




    • Edited by Casper83DK Tuesday, September 24, 2013 5:41 AM
    Tuesday, September 24, 2013 5:37 AM
  • Hi,

    that is a very good point and double checked that in the lab and against several resources from Microsoft. And I wanted be sure that I give you this time the correct and complete information I ran some tests in the lab. The certificate for the digital signature of the PowerShell script must be installed in the Trusted Publishers certificate store, otherwise PowerShell will not accept it. The Root CA certificate of that certificate must also be installed in the Trusted Root Certification Authorities store. If you use a self-signed certificate it must be installed in both certificate stores. I think that is what you saw as well.

    Because your root ca certificate has already been distributed via GPO you need to add each certificate for code signing to the GPO under Trusted Publishers. Hope that helps you and sorry that my first answer was not correct.

    Regards,

    Lutz

    • Marked as answer by Casper83DK Wednesday, September 25, 2013 9:11 AM
    Wednesday, September 25, 2013 12:46 AM