none
Self-Signed Script RRS feed

  • General discussion

  • I want to sign a script with a self-signed certificate. I tried installing the .NET 2.0 SDK. I tried using New-SelfSignedCertificate. There are no step-by-step instructions for how to do this in the year 2016. 
    Saturday, October 29, 2016 1:45 AM

All replies

    1. Create a self-signed cert.  (This is really easy with IIS - selfssl.exe)  There many website to explain how to do this.
    2. Export it as a .pfx file with the private key
    3. Run: signtool.exe sign /f CodeSigning.pfx /p password /t http://timestamp.verisign.com/scripts/timstamp.dll scriptfile.ps1

    -Tony

    Saturday, October 29, 2016 2:21 AM
  • help signing

    help New-SelfSignedCertificate -full

    Just run the CmdLet when you live in 2016.  For the year 2006 use Tony's method.


    \_(ツ)_/

    Saturday, October 29, 2016 3:04 AM
  • Just run the CmdLet when you live in 2016.  For the year 2006 use Tony's method.


    \_(ツ)_/

    He did say .NET 2.0   (ツ)

    Old School:

    1. Use makecert.exe from the .NET 2.0 SDK to make the cert.  Or use IIS & selfssl.exe
    2. Use signtool.exe from .NET

    PowerShell (new school) method:

    1. Make cert with New-SelfSignedCertificate
    2. Sign file with Set-AuthenticodeSignature

    You'll find this site helpful: Signing PowerShell scripts

    It covers both methods.



    • Edited by Tony MCP Saturday, October 29, 2016 4:43 AM
    Saturday, October 29, 2016 4:42 AM
  • No - he said he installed the net 2 SDK which tells us nothing about the version of PowerShell installed.


    \_(ツ)_/

    Saturday, October 29, 2016 4:51 AM
  • No - he said he installed the net 2 SDK which tells us nothing about the version of PowerShell installed.


    \_(ツ)_/


    True. I reread his question and realized I misread the question.  Anyhow, hopefully one of us helped him.

    -Tony

    Saturday, October 29, 2016 4:53 AM
  • V2 cert generator script. Does not require SDK.

    https://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6


    \_(ツ)_/

    Saturday, October 29, 2016 4:54 AM
    1. Create a self-signed cert.  (This is really easy with IIS - selfssl.exe)  There many website to explain how to do this.
    2. Export it as a .pfx file with the private key
    3. Run: signtool.exe sign /f CodeSigning.pfx /p password /t http://timestamp.verisign.com/scripts/timstamp.dll scriptfile.ps1

    -Tony


    I don't have IIS on Windows 10.

    help signing

    help New-SelfSignedCertificate -full

    Just run the CmdLet when you live in 2016.  For the year 2006 use Tony's method.


    \_(ツ)_/


    There is not a 1:1 correspondence between New-SelfSignedCertificate and makecert. For example, how would I detour around -sv root.pvk? I don't know how to make those accommodations. Also, there are no examples for code signing in New-SelfSignedCertificate's help. There are only examples for SSL, S/MIME, and client authentication. Just tacking on -TextExtension "2.5.29.37={text}1.3.6.1.5.5.7.3.3" is not enough. 

    Just run the CmdLet when you live in 2016.  For the year 2006 use Tony's method.


    \_(ツ)_/

    He did say .NET 2.0   (ツ)

    Old School:

    1. Use makecert.exe from the .NET 2.0 SDK to make the cert.  Or use IIS & selfssl.exe
    2. Use signtool.exe from .NET

    PowerShell (new school) method:

    1. Make cert with New-SelfSignedCertificate
    2. Sign file with Set-AuthenticodeSignature

    You'll find this site helpful: Signing PowerShell scripts

    It covers both methods.




    You can't install the .NET 2.0 SDK on Windows 10. Geoff's article is not helpful because it depends on having the .NET 2.0 SDK installed. 

    V2 cert generator script. Does not require SDK.

    https://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6

    no linksno links


    \_(ツ)_/

    I suppose I can use New-SelfSignedCertificateEx. But then what is the point of having New-SelfSignedCertificate in PowerShell 5.0?

    There are no step-by-step instructions for creating a code signing certificate with New-SelfSignedCertificate. You also need to convert Geoff's instructions about creating a root certificate so the code signing certificate actually works. 

    Saturday, October 29, 2016 11:57 PM
  • On windows 10 from an elevated prompt:

    Get-WindowsOptionalFeature -Online -FeatureName IIS-ManagementService

    To install

    Get-WindowsOptionalFeature -Online -FeatureName IIS-ManagementService | Enable-WindowsOptionalFeature -online -All


    \_(ツ)_/


    • Edited by jrv Sunday, October 30, 2016 12:16 AM
    Sunday, October 30, 2016 12:13 AM