Scripts Thread, Signing powershell scripts so they're trusted domain-wide in Coding and Web Development; So I've gotten to the point now where I'm writing scripts that's going beyond personal use and I'm not really ...
29th April 2014, 11:54 AM #1
Signing powershell scripts so they're trusted domain-wide
So I've gotten to the point now where I'm writing scripts that's going beyond personal use and I'm not really keen on modifying the executionpolicy of other users/machines, so script signing is the way to go, but I'm having a lot of trouble finding anything beyond self-cert (MakeCert) for local use, which isn't really going to be much use as we'll need multiple members of staff to be able to execute it.
I understand a certificate can be made and pushed out domain-wide but really not finding much information on how to actually make a certificate for the domain, only for local machines. Has anybody done something like this on their own networks that would be able to throw a link or two my way explaining it more?
29th April 2014, 11:58 AM #2
Have you got a domain certificate server? If so it should be fairly easy to make a code signing cert, as long as the machines running it trust the domain root (which they should do).
Have a look: Hey, Scripting Guy! How Can I Sign Windows PowerShell Scripts with an Enterprise Windows PKI? (Part 1 of 2) - Hey, Scripting Guy! Blog - Site Home - TechNet Blogs
29th April 2014, 12:04 PM #3
Thanks for the speedy response!
Is that the only way to do it? We don't have a PKI. Apparently we used to have one as part of SCCM but CAPITA bodged it up so now we don't.
If it is, how simple is it to set one up? (I don't really touch servers too much, but I can pass everything on once I've got the resources)
29th April 2014, 12:41 PM #4
It's not too shocking, But takes a bit of thinking before jumping in. It also means you can generate internal certs for internal web servers, etc. Which can provide a cost/security benefit down the line.
but if you can throw some money at it, it mgiht be better to buy a code signing cert from someone who's a trusted root in windows by default (MS update the root certs trusted auth parties fairly often)
If you go start-run-mmc then go file-add snap in. choose certificates, computer account, local computer. You can then open trusted root certification authorities and see a list of certificate signers your machine trusts (and likely the same as the other machines on the network) - I believe thwate, verisign and globalsign are normally good bets: https://www.globalsign.co.uk/code-signing/
29th April 2014, 04:44 PM #5
I can't even figure out how to self-sign them All I find is talk of MakeCert being bundled with .NET Framework SDK 2.0, but there seems to be no such program bundled in with .NET Framework SDK 4 that I just installed.
29th April 2014, 05:48 PM #6
29th April 2014, 05:58 PM #7
MakeCert.exe is bundled with the Windows SDK and Windows Driver Kit (WDK).
Originally Posted by Garacesh
You will find it in the following folders depending upon which *DK you install.
Last edited by Arthur; 29th April 2014 at 06:02 PM.
30th April 2014, 03:19 PM #8
Woohoo, I got it working. Made the certificates that can be imported to other machines and managed to sign my code, thanks for the help!
By agarabaghi in forum Windows 7
Last Post: 12th June 2012, 04:11 PM
By HodgeHi in forum Virtual Learning Platforms
Last Post: 18th June 2010, 03:50 PM
By fawkers in forum Scripts
Last Post: 24th January 2008, 03:58 PM
By HodgeHi in forum Windows
Last Post: 6th December 2006, 11:26 AM
By Dos_Box in forum IT News
Last Post: 18th April 2006, 10:33 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)