none
User certificate validity time and powershell script signing. RRS feed

  • السؤال

  • Hello,

    I recently came across a problem.
    A year ago I signed the first powershell script in our company using the Code Signing Certificate on the user and the Set-AuthenticodeSignature command "script.ps1" @ (Get-ChildItem cert: \ CurrentUser \ My -codesign) [0].
    The script was then sent to the appropriate computers.
    The GPO for computers is Execution Policy: Allow local scripts and remote signed scripts.
    In that month, there was a problem using this script.
    It turned out that the Code Signing Certificate generated for my user had expired, which turned out that all the scripts that I signed could not be started.
    He had to regenerate a new certificate for my user and re-sign all powershell scripts to make them executable.
    I was looking for an answer how to solve this problem so that the scripts signed in the company work even when the user expires the validity of the Code Signing Certificate but I could not trace the solution.
    How to solve this problem ?
    22/صفر/1441 06:32 ص

جميع الردود

  • If you are using Code Signing on your scripts, you have to re-sign then redeploy the scripts after the certificate expires. If you have the ability to do so, it's a good idea to enroll the code-signing certs with a very long validity period (preferably for as long as the script is likely to be in use on the computers it's deployed to). Code-signing doesn't suffer from the same vulnerabilities associated to key aging that PKI-based encryption does, so having a very long validity period is a standard practice except in extremely high-security environments. Most organizations that aren't under compliance systems that require code verification mechanisms tend to skip code-signing in general.

    In answer to your question, though, there's no way to ensure that signed scripts work after cert expiration. Expiration invalidates the certificate, which in turn invalidates the signature, which causes Powershell to flag the script as suspect when you are using the requirement to implement a signing required execution policy. If you're using remote-signed execution policy, deploying the scripts to computers should allow those scripts to be used without signing, but signed scripts will still fail if outside validity.

    22/صفر/1441 11:07 م
  • Hi Kamil, 

    For script issue, please contact script team with the following link:

    Script support:

    https://social.technet.microsoft.com/Forums/en-US/home?forum=ITCG

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • تم الاقتراح كإجابة بواسطة Joy-Qiao 23/صفر/1441 01:41 ص
    23/صفر/1441 01:41 ص
  • Hi Kamil, 

    Not sure if my redirect information is useful for you. If you got answer or got any useful information from script forum, please mark my redirect as answer to help others find the correct way. If you have not performed any action on script forum, please paste your thread there to get the resolved more quickly. 

    Bests, 


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    24/صفر/1441 06:33 ص