+ Post New Thread
Results 1 to 8 of 8
Scripts Thread, Signing powershell scripts so they're trusted domain-wide in Coding and Web Development; So I've gotten to the point now where I'm writing scripts that's going beyond personal use and I'm not really ...
  1. #1


    Join Date
    Jan 2012
    Posts
    2,614
    Thank Post
    934
    Thanked 350 Times in 266 Posts
    Rep Power
    212

    Signing powershell scripts so they're trusted domain-wide

    So I've gotten to the point now where I'm writing scripts that's going beyond personal use and I'm not really keen on modifying the executionpolicy of other users/machines, so script signing is the way to go, but I'm having a lot of trouble finding anything beyond self-cert (MakeCert) for local use, which isn't really going to be much use as we'll need multiple members of staff to be able to execute it.

    I understand a certificate can be made and pushed out domain-wide but really not finding much information on how to actually make a certificate for the domain, only for local machines. Has anybody done something like this on their own networks that would be able to throw a link or two my way explaining it more?

  2. #2

    Domino's Avatar
    Join Date
    Oct 2006
    Location
    Bromley
    Posts
    4,152
    Thank Post
    215
    Thanked 1,259 Times in 790 Posts
    Blog Entries
    4
    Rep Power
    507
    Have you got a domain certificate server? If so it should be fairly easy to make a code signing cert, as long as the machines running it trust the domain root (which they should do).

    Have a look: Hey, Scripting Guy! How Can I Sign Windows PowerShell Scripts with an Enterprise Windows PKI? (Part 1 of 2) - Hey, Scripting Guy! Blog - Site Home - TechNet Blogs

  3. #3


    Join Date
    Jan 2012
    Posts
    2,614
    Thank Post
    934
    Thanked 350 Times in 266 Posts
    Rep Power
    212
    Thanks for the speedy response!

    Is that the only way to do it? We don't have a PKI. Apparently we used to have one as part of SCCM but CAPITA bodged it up so now we don't.
    If it is, how simple is it to set one up? (I don't really touch servers too much, but I can pass everything on once I've got the resources)

  4. #4

    Domino's Avatar
    Join Date
    Oct 2006
    Location
    Bromley
    Posts
    4,152
    Thank Post
    215
    Thanked 1,259 Times in 790 Posts
    Blog Entries
    4
    Rep Power
    507
    It's not too shocking, But takes a bit of thinking before jumping in. It also means you can generate internal certs for internal web servers, etc. Which can provide a cost/security benefit down the line.

    but if you can throw some money at it, it mgiht be better to buy a code signing cert from someone who's a trusted root in windows by default (MS update the root certs trusted auth parties fairly often)

    If you go start-run-mmc then go file-add snap in. choose certificates, computer account, local computer. You can then open trusted root certification authorities and see a list of certificate signers your machine trusts (and likely the same as the other machines on the network) - I believe thwate, verisign and globalsign are normally good bets: https://www.globalsign.co.uk/code-signing/

  5. #5


    Join Date
    Jan 2012
    Posts
    2,614
    Thank Post
    934
    Thanked 350 Times in 266 Posts
    Rep Power
    212
    I can't even figure out how to self-sign them All I find is talk of MakeCert being bundled with .NET Framework SDK 2.0, but there seems to be no such program bundled in with .NET Framework SDK 4 that I just installed.

  6. #6

    Domino's Avatar
    Join Date
    Oct 2006
    Location
    Bromley
    Posts
    4,152
    Thank Post
    215
    Thanked 1,259 Times in 790 Posts
    Blog Entries
    4
    Rep Power
    507

  7. #7


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    8,894
    Thank Post
    226
    Thanked 2,674 Times in 1,971 Posts
    Rep Power
    786
    Quote Originally Posted by Garacesh View Post
    All I find is talk of MakeCert being bundled with .NET Framework SDK 2.0, but there seems to be no such program bundled in with .NET Framework SDK 4 that I just installed.
    MakeCert.exe is bundled with the Windows SDK and Windows Driver Kit (WDK).

    You will find it in the following folders depending upon which *DK you install.

    Code:
    %ProgramFiles%\Microsoft SDKs\Windows\v7.1\Bin
    Code:
    C:\WinDDK\7600.16385.1\bin\amd64
    Last edited by Arthur; 29th April 2014 at 05:02 PM.

  8. #8


    Join Date
    Jan 2012
    Posts
    2,614
    Thank Post
    934
    Thanked 350 Times in 266 Posts
    Rep Power
    212
    Woohoo, I got it working. Made the certificates that can be imported to other machines and managed to sign my code, thanks for the help!

SHARE:
+ Post New Thread

Similar Threads

  1. Change computer name and re join domain script?
    By agarabaghi in forum Windows 7
    Replies: 8
    Last Post: 12th June 2012, 03:11 PM
  2. StudyWiz looks like they're gone so where to next?
    By HodgeHi in forum Virtual Learning Platforms
    Replies: 19
    Last Post: 18th June 2010, 02:50 PM
  3. Replies: 0
    Last Post: 24th January 2008, 02:58 PM
  4. Replies: 12
    Last Post: 6th December 2006, 10:26 AM
  5. Oh.My.God.....They're back
    By Dos_Box in forum IT News
    Replies: 5
    Last Post: 18th April 2006, 09:33 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •