Self-sign your Powershell scripts

Creating my first Powershell script, I came up against code execution issues. Rather than take the easy (sketchy) way out and simply enable execution of unsigned code, I went and figured out how to sign my scripts using my internal CA. Powershell’s internal help is very useful also:

get-help about_signing

My CA is (still) a Windows Server 2003 DC, so that’s what this is based on.

  1. Connect to your CA using the Certification Authority snapin, and ensure that the Code Signing certificate template is enabled/loaded. If it isn’t, just right-click on Certificate Templates and select New –> Certificate Template to Issue

  2. Ensure that HTTPS is enabled for your CA’s Certificate Services virtual directory, and then navigate to it using IE from your own PC;

  3. Go to Request a certificate, User Certificate (click Yes, to any IE popups at this point), go to More Options >>>, Use the Advanced Certificate Request form, select the Code Signing certificate template, and then Submit your request.
  4. Once your certificate is issued and installed, you’ll be able to view its details using this Powershell command:
  5. Get-ChildItem cert:CurrentUserMy -codesigning
  6. Sign your Powershell script with the following command. I ran into an issue where I received an “Unknown Error”, but this turned out to be because I had created the script from within the Powershell ISE. This handy blog post helped me out.
  7. Set-AuthenticodeSignature .{script name}.ps1 @(Get-ChildItem cert:CurrentUserMy -codesigning)[0]

There’s some pretty useful info here, on

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s