Windows 10: Secure Credentials with Self-Signed Certificates for PowerShell Script

Read more: Secure Credentials with Self-Signed Certificates for PowerShell Scripts | Ask Premier Field Engineering (PFE) Platforms

:)

 

How to sign Powershell profile w/ self-signed certificate?


I currently have my execution-policy set to AllSigned. I don't want to change it or bypass that restriction.

When I created my profile script--or whatever it's called--I wanted to do so in order to set permanent aliases.

For whatever reason, Microsoft has made it an ever increasingly difficult endeavor just to create permanent aliases.

The problem now is that it won't run the script because it isn't digitally signed.

I attempted to make a self-signed certificate to sign the blasted thing but I never got anywhere.

I've looked at a few guides online but they all assume I'm in a server environment or something (which means the steps keep changing or involve unnecessary steps).

In the end, I wound up with a code-signing cert and the thing is in my current-user cert store.

I'm trying to get this to work on my Windows 10 Pro desktop but I haven't a clue as to what I'm actually supposed to be doing.

Is it even possible to get what I'm asking for? *Confused

P.S. - I have no experience with either Powershell or certificates. The only reason I know what I've mentioned so far is because I spent 2-3 minutes glossing over the help files. My knowledge of PKI has me understanding that you need a private key to sign something, but I can't even get the certificate to validate my own key so it's kind of getting me flustered at this point.

 

How to sign Powershell profile w/ self-signed certificate?


POWERSHELL ONLY SOLUTION:

The following is a powershell-only solution which will not require the installation of extra software/tools/features (at least on Windows 10):

#Open up a Powershell window—with Admin privileges—and run the following to create the self-signed certificate and save it to the PS variable of your choice. Below, the naming distinction mycert is used. I recommend that or just copy/paste the code.
Code:

Code:

$mycert = New-SelfSignedCertificate  -Subject "CN=PowerShell signing example" `                -KeyAlgorithm RSA -KeyLength 2048   -Type CodeSigningCert `                  -CertStoreLocation Cert:\LocalMachine\My\ 

#Next, to verify the certificate was created, simply type the variable you just created.
#For example, the above would be $cert
#Hit enter, and the thing should print out a thumbprint to the screen.

#Now, with that outta the way, you need to move the certificate you just created the root cert store on your machine.
#To do this, run the following command (take note of the variable name; i.e. use what you used above):
Code:

Code:

Move-Item "Cert:\LocalMachine\My\$($mycert.Thumbprint)" Cert:\LocalMachine\Root

#Finally, with that out of the way, you can sign your script with the following command

Code:

Code:

set-AuthenticodeSignature C:\Path\To\Script\test.ps1 $mycert

Once you run that command, you should receive output on the console displaying the successful signing.

Incidentally, I had tried this route before but kept failing because I didn't move the certificate to the root cert store. Now I know.

In the end, I don't feel better about this compared to having just changed the execution-policy.

For those interested in the guide referenced for this method, please visit this link.

For those interested in the guide referenced for the first method (on page 1), click this link.

P.S. - I knew the code I used looked familiar, and I eventually wound up finding (piece by piece) the entire guide on another site.

P.P.S. - We shouldn't be required to do all of this just to get a few permanent aliases in Powershell.