Vista - Signing Powershell Scripts with Microsoft Certificate Authority

I'd like to sign my Powershell scripts and we have a Microsoft Certificate
Authority root server in our AD domain. Doesn't this mean that all domain
systems have the root certificate automatically installed on them?

That said, I'd like to sign my scripts, somehow, with this script. Most of
the information on certs for Powershell code focus on the steps for a
self-created cert. I'm having a problem applying the steps to a cert that is
created by our own server. Has anyone done this?
--
Sandy Wood
Orange County District Attorney

On 2007-06-04 19:09:03 +0100, Sandy Wood <sandy.wood@nospam.com> said:

> I'd like to sign my Powershell scripts and we have a Microsoft
> Certificate Authority root server in our AD domain. Doesn't this mean
> that all domain systems have the root certificate automatically
> installed on them?
>
> That said, I'd like to sign my scripts, somehow, with this script. Most
> of the information on certs for Powershell code focus on the steps for
> a self-created cert. I'm having a problem applying the steps to a cert
> that is created by our own server. Has anyone done this?

I'm not up to speed on MS Certificate Authority so I can't say if your
clients will have the RootCA Cert.

As for getting a certificate - you need to create a request using the
Certificates MMC snap-in (you will be prompted as to whether you want a
cert for your user id or the machine). Make sure the request type is
for code signing. Send the request to the MS RootCA admin and get them
to sign it and send the completed certificate back. Once imported on
your keychain you should be good to go.

n

So once I have the cert, do I put it in the Trusted Certs folder?
--
Sandy Wood
Orange County District Attorney


"Neil Chambers" wrote:

> On 2007-06-04 19:09:03 +0100, Sandy Wood <sandy.wood@nospam.com> said:
>
> > I'd like to sign my Powershell scripts and we have a Microsoft
> > Certificate Authority root server in our AD domain. Doesn't this mean
> > that all domain systems have the root certificate automatically
> > installed on them?
> >
> > That said, I'd like to sign my scripts, somehow, with this script. Most
> > of the information on certs for Powershell code focus on the steps for
> > a self-created cert. I'm having a problem applying the steps to a cert
> > that is created by our own server. Has anyone done this?
>
> I'm not up to speed on MS Certificate Authority so I can't say if your
> clients will have the RootCA Cert.
>
> As for getting a certificate - you need to create a request using the
> Certificates MMC snap-in (you will be prompted as to whether you want a
> cert for your user id or the machine). Make sure the request type is
> for code signing. Send the request to the MS RootCA admin and get them
> to sign it and send the completed certificate back. Once imported on
> your keychain you should be good to go.
>
> n
>
>

On 2007-06-04 21:26:00 +0100, Sandy Wood <sandy.wood@nospam.com> said:

> So once I have the cert, do I put it in the Trusted Certs folder?

I have mine installed under the Current User context in Personal/Certificates

OK, I see. So I would imagine if I was running a script under some other
credentials, say a service account, I should really get a cert for that user
on the specific system that the script was going to be run on?
--
Sandy Wood
Orange County District Attorney


"Neil Chambers" wrote:

> On 2007-06-04 21:26:00 +0100, Sandy Wood <sandy.wood@nospam.com> said:
>
> > So once I have the cert, do I put it in the Trusted Certs folder?
>
> I have mine installed under the Current User context in Personal/Certificates
>
>

On 2007-06-05 15:16:01 +0100, Sandy Wood <sandy.wood@nospam.com> said:

> OK, I see. So I would imagine if I was running a script under some
> other credentials, say a service account, I should really get a cert
> for that user on the specific system that the script was going to be
> run on?

The creds you run the script under won't have any baring on the
signature of the script. All you are trying to do when you sign a
script is supply some form of identification. As long as the computer
running the script has a suitable (PoSH) execution policy and is
configured to trust your RootCA, then script execution should run
smoothly.

All I'm interested in when signing a script is how someone can further
identify the source of the script so that they know it to be legitimate
and who's wrists to slap if it causes havock ;-)

n

OK, I see. That makes sense.
--
Sandy Wood
Orange County District Attorney


"Neil Chambers" wrote:

> On 2007-06-05 15:16:01 +0100, Sandy Wood <sandy.wood@nospam.com> said:
>
> > OK, I see. So I would imagine if I was running a script under some
> > other credentials, say a service account, I should really get a cert
> > for that user on the specific system that the script was going to be
> > run on?
>
> The creds you run the script under won't have any baring on the
> signature of the script. All you are trying to do when you sign a
> script is supply some form of identification. As long as the computer
> running the script has a suitable (PoSH) execution policy and is
> configured to trust your RootCA, then script execution should run
> smoothly.
>
> All I'm interested in when signing a script is how someone can further
> identify the source of the script so that they know it to be legitimate
> and who's wrists to slap if it causes havock ;-)
>
> n
>
>