How to sign PowerShell scripts, part 2

This guide explains how to sign a PowerShell script. In part one, I showed you how to deploy an enterprise CA. The next step in the process is to acquire a code signing certificate from the CA.

Before we can do that, however, we’ll need to create a code signing template.


To get started, log into your Certificate Authority (CA) and open the CA console (you can type certsrv.msc at the Run prompt). When the console opens, expand the container for your CA. Now right-click on the Certificate Templates container and select the Manage command from the context menu.

Brian Posey

Figure 1. Right-click on the Certificate Templates folder and select the Manage command.

At this point, the console will display a long list of models. Right-click the code signing template and choose the Duplicate Template command from the context menu. This will cause Windows to open the model property sheet.

Select the General tab of the Properties sheet, then give the template a new name. I’m going to call my model “PowerShell”. Click the Apply button, then select the Request Processing tab. Here you will need to make sure that the Purpose dropdown is set to Signature. You will also need to check the Allow private key export box. Click Apply when you’re done.

Next, go to the Subject Name tab. Make sure Build from Active Directory information is selected, then set the Subject Name Format to Common Name. Make sure User Principal Name is checked and click Apply.

Now select the Security tab and assign Read and Enroll permissions to Authenticated Users. Click OK when finished.

Model Issue

Now that we’ve created a signing certificate template, it’s time to publish the template. Return to the main CA screen, right-click the Certificate Templates container and select New | Templates of certificates to issue in context menus.

Windows will display a dialog asking you to select a certificate template to enable on the CA. Select the PowerShell certificate template you created a moment ago. Click OK.

Brian PoseyThe screenshot shows the Enable Certificate Templates window and the PowerShell certificate template selected

Figure 2. Select your PowerShell certificate template and click OK.

Configuring website bindings

As you may remember, in the first part of this guide, we chose an option that would allow online registration for certificates. We will use the web interface to request the code signing certificate. Before we can do that, however, we’ll need to configure the site bindings to allow SSL.

Open Server Manager on your CA, then choose IIS Manager from the Tools menu. When the IIS manager opens, expand the Default container, expand the Sites container, and click Default Web Site, shown in Figure 3.

Brian PoseyScreenshot of Internet Information Services Manager, with default website selected

Picture 3. Click the Default Web Site container.

Now click the Bindings link, then click Add. When the Add Site Binding dialog box appears, set the type to HTTPS and choose your CA certificate from the SSL Certificate drop-down list, as shown in Figure 4. Click OK to complete the process.

Brian PoseyScreenshot of the Add Site Binding box

Figure 4. Set the binding type to HTTPS and choose your CA as the SSL certificate.

Request the code signing certificate

The next thing to do is request a code signing certificate.

To do this, open a web browser on a domain-joined system. Go to https:///certsrv. Replace with the fully qualified domain name or IP address of your CA server. This will cause the browser to open a page hosted by the CA.

If you get an error that warns you about the site’s security certificate, you can safely ignore the error. The error occurs because the machine has not been configured to trust the certificate authority.

When prompted, sign in to the site using domain credentials. From the main site screen, click on the Request a certificate option and then click on the Advanced certificate request option. Next, click Create and submit a request to this CA. This will take you to the screen shown in Figure 5.

Brian PoseyScreenshot of advanced certificate request box

Figure 5. Choose the PowerShell certificate template and set the friendly name to PowerShell.

Choose PowerShell from the Certificate Template drop-down menu, set the Certificate Friendly Name to PowerShell, and click Submit. Upon doing so, you should receive a message telling you that the certificate has been issued to you. Be sure to click the Install this certificate link, shown in Figure 6.

Brian PoseyScreenshot of the Microsoft Active Directory Certificate Services box showing the issued certificate

Figure 6. Make sure to install the certificate.

Now that we have generated and installed the required certificate, we can finally start signing our PowerShell scripts. I’ll show you how in part three.

Comments are closed.