Creating Self-Signed Code Signing Certificates

If you’d like to digitally sign your scripts, the first thing you need is a digital certificate with the designated purpose set to “Code Signing”. To play, you can easily create your own free self-signed certificates. Don’t expect anyone else to trust them, as anyone can create them. They are a great way to test-drive code signing.

Beginning in PowerShell 4, the cmdlet New-SelfSignedCertificate can create code signing certificates for you. The code below creates a PFX file that contains both the private and public key:

#requires -Version 5

# this is where the cert file will be saved
$Path = "$env:temp\codeSignCert.pfx"

# you'll need this password to load the PFX file later
$Password = Read-Host -Prompt 'Enter new password to protect certificate' -AsSecureString

# create cert, export to file, then delete again
$cert = New-SelfSignedCertificate -KeyUsage DigitalSignature -KeySpec Signature -FriendlyName 'IT Sec Department' -Subject CN=SecurityDepartment -KeyExportPolicy ExportableEncrypted -CertStoreLocation Cert:\CurrentUser\My -NotAfter (Get-Date).AddYears(5) -TextExtension @('2.5.29.37={text}1.3.6.1.5.5.7.3.3')
$cert | Export-PfxCertificate -Password $Password -FilePath $Path
$cert | Remove-Item

In the upcoming tips, we’ll take a look at what you can do with the newly created certificate.

Twitter This Tip! ReTweet this Tip!