Last active
February 26, 2021 10:20
-
-
Save rjsocha/2de5405ed773cbac78dbe6d1d3761af9 to your computer and use it in GitHub Desktop.
PowerShell self-signed script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CA Generation | |
| # {hex}30030101FF => ASN.1 BasicConstraints: CA:TRUE | |
| # $asn1=([System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension]::new($true, $flase, 0,$true)).RawData | |
| # $asn1 | Format-Hex -Encoding Ascii | |
| $ca_params =@{ | |
| "Type" = "Custom"; | |
| "Subject" = "CN=Local CA"; | |
| "FriendlyName" = "Local CA"; | |
| "KeyAlgorithm" = "RSA"; | |
| "KeyLength" = 2048; | |
| "KeyUsage" = "CertSign"; | |
| "TextExtension" = @("2.5.29.19={critical}{hex}30030101FF"); | |
| "NotAfter" = ((Get-Date).AddYears(10)); | |
| "CertStoreLocation" = "Cert:\CurrentUser\My"; | |
| } | |
| $root=New-SelfSignedCertificate @ca_params | |
| $root.ToString() | |
| # Certificate generation | |
| $cert_params =@{ | |
| "Signer" = $root; | |
| "Type" = "CodeSigningCert"; | |
| "Subject" = "CN=Code Signer"; | |
| "FriendlyName" = "Code Signer"; | |
| "KeyAlgorithm" = "RSA"; | |
| "KeyLength" = 2048; | |
| "KeyUsage" = "DigitalSignature"; | |
| "NotAfter" = ((Get-Date).AddYears(10)); | |
| "CertStoreLocation" = "Cert:\CurrentUser\My"; | |
| } | |
| $code=New-SelfSignedCertificate @cert_params | |
| $code.ToString() | |
| # tmp file | |
| $ca_file = [System.IO.Path]::GetTempFileName() | |
| # Export CA cert to trusted root | |
| Export-Certificate -Type CERT -Cert $root -FilePath $ca_file -Force | |
| # This require interactive confirmation by user | |
| Import-Certificate -CertStoreLocation Cert:\CurrentUser\Root -FilePath $ca_file | |
| # Export signer cert to trusted publishers | |
| Export-Certificate -Type CERT -Cert $code -FilePath $ca_file -Force | |
| Import-Certificate -CertStoreLocation Cert:\CurrentUser\TrustedPublisher -FilePath $ca_file | |
| # clean up | |
| Remove-Item $ca_file | |
| # $code=(Get-ChildItem cert:\CurrentUser\my -CodeSigningCert)[0] | |
| # sample script | |
| 'Write-Host "Hello, World!"' >.\sign_me.ps1 | |
| # Change execution policy for Windows client computers | |
| # https:/go.microsoft.com/fwlink/?LinkID=135170 | |
| Set-ExecutionPolicy -ExecutionPolicy AllSigned -Scope CurrentUser -Force | |
| # Default policy | |
| # Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser -Force | |
| Set-AuthenticodeSignature .\sign_me.ps1 $code | |
| # run sample script | |
| .\sign_me.ps1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment