Creating my first Powershell script, I came up against code execution issues. Rather than take the easy (sketchy) way out and simply enable execution of unsigned code, I went and figured out how to sign my scripts using my internal CA. Powershell’s internal help is very useful also:
get-help about_signing
My CA is (still) a Windows Server 2003 DC, so that’s what this is based on.
- Connect to your CA using the Certification Authority snapin, and ensure that the Code Signing certificate template is enabled/loaded. If it isn’t, just right-click on Certificate Templates and select New –> Certificate Template to Issue
- Ensure that HTTPS is enabled for your CA’s Certificate Services virtual directory, and then navigate to it using IE from your own PC;
https://{CA-name}/certsrv - Go to Request a certificate, User Certificate (click Yes, to any IE popups at this point), go to More Options >>>, Use the Advanced Certificate Request form, select the Code Signing certificate template, and then Submit your request.
- Once your certificate is issued and installed, you’ll be able to view its details using this Powershell command:
- Sign your Powershell script with the following command. I ran into an issue where I received an “Unknown Error”, but this turned out to be because I had created the script from within the Powershell ISE. This handy blog post helped me out.
Get-ChildItem cert:CurrentUserMy -codesigning
Set-AuthenticodeSignature .{script name}.ps1 @(Get-ChildItem cert:CurrentUserMy -codesigning)[0]
There’s some pretty useful info here, on powershell.com