Vista - Error when signing a PowerShell script

I am attempting to digitally sign a PowerShell script with a PKI certificate
from a smartcard and it is failing with an error. I was always able to do
this with no problem for VBA code (e.g. an Excel VBA script), the difference
being that the signing was done via a GUI interface and I had to enter my PIN.

The error I am receiving is "Cannot sign code. The specified certificate is
not suitable for code signing." I looked at the certificate in Internet
Explorer and verified that it was enabled for code signing.

We are not allowed to use Pfx certificates or self-signed certificates in
our environment so those are not an option. Any ideas? Thanks.

On Mon, 4 Dec 2006 12:18:01 -0800, Mike
<Mike@discussions.microsoft.com> wrote:

>I am attempting to digitally sign a PowerShell script with a PKI certificate
>from a smartcard and it is failing with an error. I was always able to do
>this with no problem for VBA code (e.g. an Excel VBA script), the difference
>being that the signing was done via a GUI interface and I had to enter my PIN.
>
>The error I am receiving is "Cannot sign code. The specified certificate is
>not suitable for code signing." I looked at the certificate in Internet
>Explorer and verified that it was enabled for code signing.
>
>We are not allowed to use Pfx certificates or self-signed certificates in
>our environment so those are not an option. Any ideas? Thanks.

If you run the following commands in PowerShell does your certificate
show up?

cd cert:
get-childitem -recurse -codesigning

Thanks

Andrew Watt MVP

Andrew,

No it doesn't. What does that mean? Thanks.

"Andrew Watt [MVP]" wrote:

> On Mon, 4 Dec 2006 12:18:01 -0800, Mike
> <Mike@discussions.microsoft.com> wrote:
>
> >I am attempting to digitally sign a PowerShell script with a PKI certificate
> >from a smartcard and it is failing with an error. I was always able to do
> >this with no problem for VBA code (e.g. an Excel VBA script), the difference
> >being that the signing was done via a GUI interface and I had to enter my PIN.
> >
> >The error I am receiving is "Cannot sign code. The specified certificate is
> >not suitable for code signing." I looked at the certificate in Internet
> >Explorer and verified that it was enabled for code signing.
> >
> >We are not allowed to use Pfx certificates or self-signed certificates in
> >our environment so those are not an option. Any ideas? Thanks.
>
> If you run the following commands in PowerShell does your certificate
> show up?
>
> cd cert:
> get-childitem -recurse -codesigning
>
> Thanks
>
> Andrew Watt MVP
>

Mike,

It may mean that you're stuck.

I know of only two ways to identify a certificate to be used when
signing scripts in PowerShell. One is using the get-pfxcertificate
cmdlet (you say you're not allowed to use PFX files) or using
get-childitem in the cert: drive.

There may be a way to get your smartcard certificate to be seen in the
cert: drive but I am not aware of it. Perhaps someone else can help
you on that. Anyone?

What is your scenario? Do you need to sign to distribute scripts?

Andrew Watt MVP


On Mon, 4 Dec 2006 13:00:01 -0800, Mike
<Mike@discussions.microsoft.com> wrote:

>Andrew,
>
>No it doesn't. What does that mean? Thanks.
>
>"Andrew Watt [MVP]" wrote:
>
>> On Mon, 4 Dec 2006 12:18:01 -0800, Mike
>> <Mike@discussions.microsoft.com> wrote:
>>
>> >I am attempting to digitally sign a PowerShell script with a PKI certificate
>> >from a smartcard and it is failing with an error. I was always able to do
>> >this with no problem for VBA code (e.g. an Excel VBA script), the difference
>> >being that the signing was done via a GUI interface and I had to enter my PIN.
>> >
>> >The error I am receiving is "Cannot sign code. The specified certificate is
>> >not suitable for code signing." I looked at the certificate in Internet
>> >Explorer and verified that it was enabled for code signing.
>> >
>> >We are not allowed to use Pfx certificates or self-signed certificates in
>> >our environment so those are not an option. Any ideas? Thanks.
>>
>> If you run the following commands in PowerShell does your certificate
>> show up?
>>
>> cd cert:
>> get-childitem -recurse -codesigning
>>
>> Thanks
>>
>> Andrew Watt MVP
>>

The native Windows APIS do not support importing certificates from smart
cards, which means that the .NET Framework does not, either. Which means
that PowerShell does not, either. It only supports them from the
"LocalMachine" and "CurrentUser" stores. If you can manually export your
certificate from the Smartcard (and then store it in the CurrentUser store,)
you will be able to use PowerShell's facilities.

Current solutions that enable this use the CAPICOM framework.

--
Lee Holmes [MSFT]
Windows PowerShell Development
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.


"Andrew Watt [MVP]" <SVGDeveloper@aol.com> wrote in message
news:0249n2p6audlqlu5ojklu170vmr3uq3ls2@4ax.com...
> Mike,
>
> It may mean that you're stuck.
>
> I know of only two ways to identify a certificate to be used when
> signing scripts in PowerShell. One is using the get-pfxcertificate
> cmdlet (you say you're not allowed to use PFX files) or using
> get-childitem in the cert: drive.
>
> There may be a way to get your smartcard certificate to be seen in the
> cert: drive but I am not aware of it. Perhaps someone else can help
> you on that. Anyone?
>
> What is your scenario? Do you need to sign to distribute scripts?
>
> Andrew Watt MVP
>
>
> On Mon, 4 Dec 2006 13:00:01 -0800, Mike
> <Mike@discussions.microsoft.com> wrote:
>
>>Andrew,
>>
>>No it doesn't. What does that mean? Thanks.
>>
>>"Andrew Watt [MVP]" wrote:
>>
>>> On Mon, 4 Dec 2006 12:18:01 -0800, Mike
>>> <Mike@discussions.microsoft.com> wrote:
>>>
>>> >I am attempting to digitally sign a PowerShell script with a PKI
>>> >certificate
>>> >from a smartcard and it is failing with an error. I was always able to
>>> >do
>>> >this with no problem for VBA code (e.g. an Excel VBA script), the
>>> >difference
>>> >being that the signing was done via a GUI interface and I had to enter
>>> >my PIN.
>>> >
>>> >The error I am receiving is "Cannot sign code. The specified
>>> >certificate is
>>> >not suitable for code signing." I looked at the certificate in
>>> >Internet
>>> >Explorer and verified that it was enabled for code signing.
>>> >
>>> >We are not allowed to use Pfx certificates or self-signed certificates
>>> >in
>>> >our environment so those are not an option. Any ideas? Thanks.
>>>
>>> If you run the following commands in PowerShell does your certificate
>>> show up?
>>>
>>> cd cert:
>>> get-childitem -recurse -codesigning
>>>
>>> Thanks
>>>
>>> Andrew Watt MVP
>>>

Andrew,

The funny thing is that I do see my cert in the cert: drive which I would
expect because I had to register the certificate from my smartcard on my
computer. We have to do this so we can get to websites that only allow
smartcard logon.

I've had to change the details for obvious reasons but here is what I see
when I type cd cert:\CurrentUser\my;get-childitem (without the -codesigning
parameter):

Subject : CN=DOE.JOHN.X.1234567890, OU=USA, OU=PKI, OU=XXX, O=XYZ
Corporation, C=US
Issuer : CN=XYZ CLASS 3 CA-9, OU=PKI, OU=XXX, O=XYZ Corporation, C=US
Thumbprint : 1234567890123456789012345678901234567890
FriendlyName :
NotBefore : 1/15/2006 7:00:00 PM
NotAfter : 1/15/2009 6:59:59 PM
Extensions : {System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, S
ystem.Security.Cryptography.Oid...}

The reason I really need for this to work is that our security environment
is very restrictive. I already know that the execution policy for PowerShell
is going to be set to allsigned. If I'm not able to sign the scripts, we
won't be able to use PowerShell which really concerns me for the future.

"Andrew Watt [MVP]" wrote:

> Mike,
>
> It may mean that you're stuck.
>
> I know of only two ways to identify a certificate to be used when
> signing scripts in PowerShell. One is using the get-pfxcertificate
> cmdlet (you say you're not allowed to use PFX files) or using
> get-childitem in the cert: drive.
>
> There may be a way to get your smartcard certificate to be seen in the
> cert: drive but I am not aware of it. Perhaps someone else can help
> you on that. Anyone?
>
> What is your scenario? Do you need to sign to distribute scripts?
>
> Andrew Watt MVP
>
>
> On Mon, 4 Dec 2006 13:00:01 -0800, Mike
> <Mike@discussions.microsoft.com> wrote:
>
> >Andrew,
> >
> >No it doesn't. What does that mean? Thanks.
> >
> >"Andrew Watt [MVP]" wrote:
> >
> >> On Mon, 4 Dec 2006 12:18:01 -0800, Mike
> >> <Mike@discussions.microsoft.com> wrote:
> >>
> >> >I am attempting to digitally sign a PowerShell script with a PKI certificate
> >> >from a smartcard and it is failing with an error. I was always able to do
> >> >this with no problem for VBA code (e.g. an Excel VBA script), the difference
> >> >being that the signing was done via a GUI interface and I had to enter my PIN.
> >> >
> >> >The error I am receiving is "Cannot sign code. The specified certificate is
> >> >not suitable for code signing." I looked at the certificate in Internet
> >> >Explorer and verified that it was enabled for code signing.
> >> >
> >> >We are not allowed to use Pfx certificates or self-signed certificates in
> >> >our environment so those are not an option. Any ideas? Thanks.
> >>
> >> If you run the following commands in PowerShell does your certificate
> >> show up?
> >>
> >> cd cert:
> >> get-childitem -recurse -codesigning
> >>
> >> Thanks
> >>
> >> Andrew Watt MVP
> >>
>

Lee,

My certificate does show up in the CurrentUser store. You can see it if you
type get-childitem but you can't see it if you type get-childitem
-codesigning. See my reply to Andrew above for more information. Thanks.

"Lee Holmes [MSFT]" wrote:

> The native Windows APIS do not support importing certificates from smart
> cards, which means that the .NET Framework does not, either. Which means
> that PowerShell does not, either. It only supports them from the
> "LocalMachine" and "CurrentUser" stores. If you can manually export your
> certificate from the Smartcard (and then store it in the CurrentUser store,)
> you will be able to use PowerShell's facilities.
>
> Current solutions that enable this use the CAPICOM framework.
>
> --
> Lee Holmes [MSFT]
> Windows PowerShell Development
> Microsoft Corporation
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "Andrew Watt [MVP]" <SVGDeveloper@aol.com> wrote in message
> news:0249n2p6audlqlu5ojklu170vmr3uq3ls2@4ax.com...
> > Mike,
> >
> > It may mean that you're stuck.
> >
> > I know of only two ways to identify a certificate to be used when
> > signing scripts in PowerShell. One is using the get-pfxcertificate
> > cmdlet (you say you're not allowed to use PFX files) or using
> > get-childitem in the cert: drive.
> >
> > There may be a way to get your smartcard certificate to be seen in the
> > cert: drive but I am not aware of it. Perhaps someone else can help
> > you on that. Anyone?
> >
> > What is your scenario? Do you need to sign to distribute scripts?
> >
> > Andrew Watt MVP
> >
> >
> > On Mon, 4 Dec 2006 13:00:01 -0800, Mike
> > <Mike@discussions.microsoft.com> wrote:
> >
> >>Andrew,
> >>
> >>No it doesn't. What does that mean? Thanks.
> >>
> >>"Andrew Watt [MVP]" wrote:
> >>
> >>> On Mon, 4 Dec 2006 12:18:01 -0800, Mike
> >>> <Mike@discussions.microsoft.com> wrote:
> >>>
> >>> >I am attempting to digitally sign a PowerShell script with a PKI
> >>> >certificate
> >>> >from a smartcard and it is failing with an error. I was always able to
> >>> >do
> >>> >this with no problem for VBA code (e.g. an Excel VBA script), the
> >>> >difference
> >>> >being that the signing was done via a GUI interface and I had to enter
> >>> >my PIN.
> >>> >
> >>> >The error I am receiving is "Cannot sign code. The specified
> >>> >certificate is
> >>> >not suitable for code signing." I looked at the certificate in
> >>> >Internet
> >>> >Explorer and verified that it was enabled for code signing.
> >>> >
> >>> >We are not allowed to use Pfx certificates or self-signed certificates
> >>> >in
> >>> >our environment so those are not an option. Any ideas? Thanks.
> >>>
> >>> If you run the following commands in PowerShell does your certificate
> >>> show up?
> >>>
> >>> cd cert:
> >>> get-childitem -recurse -codesigning
> >>>
> >>> Thanks
> >>>
> >>> Andrew Watt MVP
> >>>
>
>
>

The key you see in CurrentUser is likely used for client authentication (ie:
your computer to another computer,) or an Encrypting File System
certificate. If you view the certificate in certmgr.msc, a code signing
certificate has the following for "intended purposes":

. Ensures software came from software publisher
. Protects software from alteration after publication


--
Lee Holmes [MSFT]
Windows PowerShell Development
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.

"Mike" <Mike@discussions.microsoft.com> wrote in message
news:6BFEE992-D3EC-4C81-B559-AD4069014501@microsoft.com...
> Andrew,
>
> The funny thing is that I do see my cert in the cert: drive which I would
> expect because I had to register the certificate from my smartcard on my
> computer. We have to do this so we can get to websites that only allow
> smartcard logon.
>
> I've had to change the details for obvious reasons but here is what I see
> when I type cd cert:\CurrentUser\my;get-childitem (without
> the -codesigning
> parameter):
>
> Subject : CN=DOE.JOHN.X.1234567890, OU=USA, OU=PKI, OU=XXX, O=XYZ
> Corporation, C=US
> Issuer : CN=XYZ CLASS 3 CA-9, OU=PKI, OU=XXX, O=XYZ Corporation,
> C=US
> Thumbprint : 1234567890123456789012345678901234567890
> FriendlyName :
> NotBefore : 1/15/2006 7:00:00 PM
> NotAfter : 1/15/2009 6:59:59 PM
> Extensions : {System.Security.Cryptography.Oid,
> System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, S
> ystem.Security.Cryptography.Oid...}
>
> The reason I really need for this to work is that our security environment
> is very restrictive. I already know that the execution policy for
> PowerShell
> is going to be set to allsigned. If I'm not able to sign the scripts, we
> won't be able to use PowerShell which really concerns me for the future.
>
> "Andrew Watt [MVP]" wrote:
>
>> Mike,
>>
>> It may mean that you're stuck.
>>
>> I know of only two ways to identify a certificate to be used when
>> signing scripts in PowerShell. One is using the get-pfxcertificate
>> cmdlet (you say you're not allowed to use PFX files) or using
>> get-childitem in the cert: drive.
>>
>> There may be a way to get your smartcard certificate to be seen in the
>> cert: drive but I am not aware of it. Perhaps someone else can help
>> you on that. Anyone?
>>
>> What is your scenario? Do you need to sign to distribute scripts?
>>
>> Andrew Watt MVP
>>
>>
>> On Mon, 4 Dec 2006 13:00:01 -0800, Mike
>> <Mike@discussions.microsoft.com> wrote:
>>
>> >Andrew,
>> >
>> >No it doesn't. What does that mean? Thanks.
>> >
>> >"Andrew Watt [MVP]" wrote:
>> >
>> >> On Mon, 4 Dec 2006 12:18:01 -0800, Mike
>> >> <Mike@discussions.microsoft.com> wrote:
>> >>
>> >> >I am attempting to digitally sign a PowerShell script with a PKI
>> >> >certificate
>> >> >from a smartcard and it is failing with an error. I was always able
>> >> >to do
>> >> >this with no problem for VBA code (e.g. an Excel VBA script), the
>> >> >difference
>> >> >being that the signing was done via a GUI interface and I had to
>> >> >enter my PIN.
>> >> >
>> >> >The error I am receiving is "Cannot sign code. The specified
>> >> >certificate is
>> >> >not suitable for code signing." I looked at the certificate in
>> >> >Internet
>> >> >Explorer and verified that it was enabled for code signing.
>> >> >
>> >> >We are not allowed to use Pfx certificates or self-signed
>> >> >certificates in
>> >> >our environment so those are not an option. Any ideas? Thanks.
>> >>
>> >> If you run the following commands in PowerShell does your certificate
>> >> show up?
>> >>
>> >> cd cert:
>> >> get-childitem -recurse -codesigning
>> >>
>> >> Thanks
>> >>
>> >> Andrew Watt MVP
>> >>
>>