Certificate to Sign PowerShell Scripts

I recently decided that I needed to create a script to run automatically one morning a week.  Once I got the script written of:

Restart-Computer -ComputerName XXX -Force

Simple huh?

Well, when I tried to run it I got: “The file cannot be loaded…. *.ps1 is not digitally signed.”  After changing my execution polity to all signed by:

Set-ExecuttionPolicy AllSigned I went to find how to make a certificate for PowerShell.  After finding this article I thought I had it in the bag.  Well, I didn’t.

Given that it is almost 2012, I’m using Windows 7 and tried this command:

makecert -n “CN=PowerShell Local Certificate Root” -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine

Then found out apparently ‘makecert’ isn’t included in Windows 7.  So, fear not, I went back to Google, and found out that I needed to download the “Microsoft Windows Software Development Kit” – Okay

After downloading that, being the tester that I am, I installed it on a virtual machine.  When I went to run it, I got an error that I needed .NET 4.0, so I went out and downloaded that and installed it.  Once that was installed I figured I would give the ‘makecert’ command another shot.  Wrong again.

Since I was worried I would forget where the Software Development Kit would save, I copied the location during the installation.  Which is: “C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin” and there it was!

Once you have gone to that folder you can now run (in CMD):

makecert -n “CN=PowerShell Local Certificate Root” -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine

Enter the password a couple of times.  Then run this command:

makecert -pe -n “CN=PowerShell User” -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer

After that verify that the above steps have worked correctly by going back to PowerShell and running:

PS C:\>Get-ChildItem cert:\CurrentUser\My -codesign

Image

Once this has been verified, you are now ready to run:

PS C:\>Set-AuthenticodeSignature C:\RestartComputer.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]

Execute the script once you have done this and you will get the options to: ‘Never Run’ ‘Do not run’ ‘Run once’ ‘Always run’ ‘Help’.  By selecting A (Always Run) the script will run from then on.

Once the script is tested I exported the Certificate.

I did this by going to ‘Control Panel’ then ‘Internet Options’.  Once that was opened you need to select the ‘Content’ tab and select ‘Certificates’

Image

Select ‘Export’ and ‘Next’.  On the following menu I selected ‘Yes, export the private key’ and then ‘Next’.

After that I selected the ‘Personal Information Exchange – PKCS #12(.PFX)’ and the sub options of ‘Include all certificates in the certification path if possible’ and ‘Export all extended properties’ and selected ‘Next’  Then inserted the password that I created earlier.  Once that was done, I selected the path, and saved the certificate.

The certificate was then copied to the computer that I was testing the script on, and imported it per the instructions above.  Once that worked I signed the script with:

PS C:\>Set-AuthenticodeSignature C:\RestartComputer.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]

and ran the script.  Everything worked as planned.  Once the server turned back on (since the script is to restart the server) I simply clicked on the script and the machine restarted again.

Now I have added the script to my CA, and I did this by opening mmc.exe and adding the certificate option.  Make sure that all of the subfolders read “CertSvc\…” so that you know you are on the certificate portion.  The certificate was then imported into the ‘CertSvc\Personal’, ‘CertSvc\Trusted Root Certification Authorities’ and ‘CertSvc\Trusted Publishers’.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s