We don’t have a pki infrastructure at my current job, and I like to keep my powershell scripts on my network drive. So I needed a way to run my .ps1 files off a network drive. Setting Set-ExecutionPolciy to Unrestricted seemed like a bad idea. So I looked into using a signed script and setting Set-ExecutionPolicy to RemoteSigned. I could not justify $300 to buy a trused third party cert, so I looked at makecert.exe from the Windows SDK.
First step make the Root CA cert, private key, and pxf.
- makecert -n “CN=RootName” -a sha1 -eku 184.108.40.206.220.127.116.11.3 -r -sv Root.pvk Root.cer
- pvk2pfx.exe -pvk Root.pvk -spc Root.cer -pfx Root.pfx -pi password
makecert and pvk2pfx can be found in the Windows SDK or in the Visual Studio bin directory. First command results in a private key (.pvk) and a certificate (.cer). Second command makes a pfx out of the first 2.
Second step is to create a certificate from the root cert above.
- makecert -pe -n “CN=Certificate” -a sha1 -eku 18.104.22.168.22.214.171.124.3 -ic Root.cer -iv Root.pvk -sv Certificate.pvk Certificate.cer
- pvk2pfx.exe -pvk Certificate.pvk -spc Certificate.cer -pfx Certificate.pfx -pi password
Now we are ready to sign our powershell script.
- $cert = Get-PfxCertificate Certificate.pfx
- Set-AuthenticodeSignature -Filepath script.ps1 -Cert $cert
Probably can be combined into one line, but I am not a guru yet.
Next post will talk about how I added this certs above to all the servers.