Signing Scripts

A script must be signed by an authority trusted by the console in order to be imported or executed by Security Controls. All scripts provided with Security Controls are signed by Ivanti. During the installation of Security Controls, the Ivanti certificate is added to the trusted certificate store on the console machine.

You must sign scripts that you create before importing them into Security Controls. To do this, you need a signing certificate. That certificate must be issued by an authority that is in the trust list for the console(s) that are going to execute the scripts you create.

This section will describe one way to create a signing certificate and add it to the trusted certificates on the console.

Creating a Self-Signing Certificate Authority

This section will describe how to generate a certificate authority that can issue signing certificates. You can use this authority to generate a signing certificate that is used internally in your organization.

This method uses the MakeCert.exe utility from Microsoft. This tool is installed with Visual Studio and with the Windows SDK. See http://msdn.microsoft.com/en-us/library/ms229859.aspx for information on opening a Visual Studio or Windows SDK command prompt.

From a Visual Studio or Windows SDK command prompt, enter the following command:

This command should be entered on a single line.

makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root

-sr localMachine

You may substitute another string for the certificate name (“CN=xxx”) .

This command will:

1.Create a private key file named root.pvk (you can rename this on the –sv option).

2.Create the security certificate file named root.cer (you can rename this on the –sv option).

3.Add the certificate to the Root store (-ss Root) for the local machine (-sr localMachine).

You can use the Certificate snap-in for the Microsoft Management Console to inspect or delete certificates.

See http://msdn.microsoft.com/en-us/library/bfsktky3(v=VS.100).aspx for details of the MakeCert utility.

Creating a Signing Certificate

The next step is to create the signing certificate. To do so, enter the following at the command prompt:

makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root1.cer

Again, you can substitute a different certificate name. The private key file name specified after the –iv argument must match the name following the –sv argument in the preceding section. This command will create an issuer’s certificate file named root1.cer. You can specify a different name following the –ic argument.

This certificate is added to the store specified following the –ss argument. In this case, it is the user store. You can verify this using the Certificate snap-in for the Microsoft Management Console by looking under Certificates – Current User > Personal > Certificates.

You can also verify the certificate from within PowerShell by entering the following command:

Get-ChildItem cert:\CurrentUser\My -codesigning | Where-Object {$_.Subject -match "CN=PowerShell User"}

If the certificate is found, it will display the thumbprint and subject of the certificate, similar to this:

Signing a Script

This section will describe how to sign a script file from a PowerShell prompt or within the PowerShell ISE.

From the PowerShell command prompt, change to the directory containing your script file. In this example, it is named test-script.ps1. Then enter the following two commands:

The first command should be entered on a single line. The CN=PowerShell User should match the name you specified when creating the signing certificate.

$cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning | Where-Object {$_.Subject -match "CN=PowerShell User"})[0]

Set-AuthenticodeSignature .\test-script.ps1 $cert

The first command will locate the certificate in the certificate store. The second command signs the script using that certificate.

Signing the script will add a block at the end of the script that looks similar to this:

# SIG # Begin signature block

# MIIEMwYJKoZIhvcNAQcCoIIEJDCCBCACAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB

# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR

# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQU4QyppfQY+5HviH7wuIBvvmRf

……

# SIG # End signature block

If you make any changes to the script, you will need to re-sign it.

Signing a Script Using a PFX File

If you’d like to sign scripts using the same signing certificate on multiple machines without installing the signing certificate on each machine, you can use a PFX (Personal Information Exchange) file.

To create a PFX file:

1.Run CertMgr.exe.

2.On the Personal tab, select the signing certificate.

3.Click Export.

4.On the first export wizard screen, click Next.

5.Select the Personal Information Exchange option.

If there is an Enable strong protection option, choose it.

6.Enter a password when prompted.

This will be required when using this pfx file to sign scripts.

7.When prompted, type a name for the pfx file.

To sign a script using the PFX file, enter the following commands in PowerShell:

$cert = Get-PfxCertificate mycert.pfx

Set-AuthenticodeSignature .\test-script.ps1 $cert

When prompted, supply the password you created in Step 6.