Why my certificate can't be used for PowerShell code signing? -


windows 7 x64, powershell 4.0.

i beginner in working digital signatures, therefore read these articles before:

i need sign powershell scripts. these scripts accessible users of our windows domain. @ first want learn on computer.

i set execution policy allsigned value (with admin rights):

set-executionpolicy -scope localmachine -executionpolicy allsigned

according don jones article created own certificate (through developer command prompt vs2015 [i.e. through cmd.exe], admin rights):

cd c:\temp makecert -n "cn=andrey bushman" -a md5 -r -sv andrey.bushman.pvk -ss root -sr localmachine andrey.bushman.cer

i got andrey.bushman.cer , andrey.bushman.pvk files in current directory. first of them has 1 kb size, , second of them has 2 kb size. so, see private key size more size of certificate.

question #1
does mean certificate don't include copy of private key?

now see new item in certificate store:

ps cert:\localmachine\root> get-childitem | -property issuer -eq "cn=andrey bushman"    directory: microsoft.powershell.security\certificate::localmachine\root  thumbprint                                subject                                                           ----------                                -------                                                           cf26a00bb7c8eb2b1ea66ca307c4b5025f636f9a  cn=andrey bushman

then don jones did it:

makecert -pe -n "cn=mycertificate" -ss  –a sh1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk  –c root.cer

question #2
why did it? before did have our certificate in cert:localmachine\root storage.

by analogy did case:

makecert -pe -n "cn=andrey bushman" -ss -a md5 -iv andrey.bushman.pvk -ic andrey.bushman.cer

but nothing when launch this:

gci cert:\currentuser\my -codesigning

without -codesigning flag this:

ps c:\temp> gci cert:\currentuser\my    directory: microsoft.powershell.security\certificate::currentuser\my  thumbprint                                subject                                                           ----------                                -------                                                           8f0d753aca7f6631c3d967921bd06e158e1ab1af  cn=andrey bushman

question #3
why nothing when use -codesigning flag?

ok try sign file , problem:

ps c:\temp> $cert = @(gci cert:\currentuser\my)[0]  ps c:\temp> set-authenticodesignature -filepath .\123.ps1 -certificate $cert set-authenticodesignature : isn't possible sign code. specified certificate isn't suitable code signing а. line:1 char:1 + set-authenticodesignature -filepath .\123.ps1 -certificate $cert + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     + categoryinfo          : invalidargument: (:) [set-authenticodesignature], psargumentexception     + fullyqualifiederrorid : argument,microsoft.powershell.commands.setauthenticodesignaturecommand

question #4
how can make certificate suitable code signing?

upd
i can't ask question here, because can't register on site (i have nothing email). wrote letters email of support team answer never. tried years ago , tried days ago again, same result.

q1: mean certificate don't include copy of private key?

a1: yes. certificates can swapped around because don't include private key. private key typically exists on 1 computer, backup copy archived in secure location. gets access private key can sign want , looks did it. (a more complete answer question outside typical scope of stack overflow, there many resources available on pki.)

q2: why did it?
q3: why nothing when use -codesigning flag?

a2/a3: first time ran makecert, created root certificate. root certificate issuing other certificates, why not show code signing certificate. second time, making actual certificate. -eku option specifies certificate options use, can root certificate, code signing certificate, or digital signature, more advanced things data encryption or client authentication.

q4: how can make certificate suitable code signing?

a4: don't have lot of experience makecert.exe, company has contract cybertrust such can generate many certificates need without worrying cost each one. (yes, it's nice luxury.) means can't answer questions on makecert.exe, syntax, or -eku options use.

in many ways, makecert doing lot of things behind scenes, basic things need same:

  1. you have generate public / private key pair.
  2. you have create certificate request specifies "code signing".
  3. you have use private key sign certificate request.
  4. the certificate authority uses request generate certificate.
  5. the generated certificate can installed using private key signed request.
  6. once have certificate installed, show using -codesigning option , usable set-authenticodesignature.

i suggest using makecert documentation , other digital certificate resources find right options, based on quick glance @ links posted, appears have majority of information need. having done digital certificates many years now, appears me biggest thing more familiar how public key infrastructure (pki) works, regards how certificate chain works , verified. takes time down, , code signing in powershell not easiest place start, if you're going lot of it, it's worth time investment.


Comments

Post a Comment

Popular posts from this blog

php - Wordpress website dashboard page or post editor content is not showing but front end data is showing properly -

Image
recently have uploaded wordpress site onto server. have uploaded wordpress site in sub-folder under root folder ../root(domain root folder)/wordpress (where host wordpress folder). now problem content data in page or post in dashboard of wordpress admin panel not showing - see image. but data showing in front view - see image. if not browser cache issue , not issue happened tinymce editor during upgrade; try add config file: define('concatenate_scripts', false);
Read more

How to get the ip address of VM and use it to configure SSH connection dynamically in Ansible -

i trying ip address of vm , trying use establish ssh vm. following script: --- - hosts: localhost become: yes connection: local gather_facts: false serial: 1 vars_files: - createvmvars.yml tasks: - name: gathering vm info. vsphere_guest: vcenter_hostname: "{{vcenter_hostname}}" username: "{{vcenter_username}}" password: "{{vcenter_password}}" guest: "{{guest_name}}" vmware_guest_facts: yes register: var - debug: msg="{{var.ansible_facts.hw_eth0.ipaddresses[0]}}" - name: establishing ssh connection. script: /home/shasha/devops/scripts/ssh_configure.sh "{{var.ansible_facts.hw_eth0.ipaddresses[0]}}" following content of ssh_configure.sh : #!/bin/sh ssh-keygen -t rsa ssh-copy-id $1 but when running playbook, getting following error while executing third task: error! 'var' undefined but debug module(second task) printin
Read more

javascript - Get parameter of GET request -

i make request: createxhrrequest( "get", fileurl, function( err, response ) { if( err ) { alert( "error get!" ); } alert(response); }); and full response: { "status" : "ok", "message" : "jvberi0xljqkjdduxdgkmy how can jvberi0xlj ? i try response.message , response["message"]. nothing works. just simple access this: var json = json.parse(response); json.message
Read more