One of the biggest features that sets Powershell aside from all other scripting Languages is the ability to ensure the code CAN be trusted.  By signing that script with a Certificate you can ensure that scripts meant to run on a particular machine are only from that machine or more particularly from within your department, division or company.

What stops most of us from doing this are usually cost (Certificates usually cost money) or just a lack of knowledge.

Well guess what?  We’re going to put that knowledge in your hands, and it DOESN’T have to cost anything.   You don’t even need a Domain or Certificate infrastructure just to USE this.

Because the tool is free, the instructions are free.   You can buy a certificate of course but if you’re a small business, you may not want to incur that cost to run scripts on a single server.

What do you need to do this?

The freely downloadable SDK for your version of Windows (I don’t think you need to download the entire kit) and Powershell

That’s it.   Oh and a few minutes time.

The instructions are sitting right inside Powershell too if you want to read up on them.   I found the easiest way was to just use the Powershell ISE Help System and search for “digital” or “signature” and you’ll see a reference to “about-signing”.   There’s your instructions.   But here’s the quick version.

Run these two commands, and when prompted for a password, key one in. 

makecert -n "CN=PowerShell Local Certificate Root" -a sha1 ` -eku -r -sv root.pvk root.cer ` -ss Root -sr localMachine

makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 ` -eku -iv root.pvk -ic root.cer

To verify it was created correctly

get-childitem cert:CurrentUsermy –codesigning

Once you know the Cert is there and running well You can Digitally Sign your Powershell Scripts

$cert = @(Get-ChildItem cert:CurrentUserMy -codesigning)[0]

Set-AuthenticodeSignature NAMEOFSCRIPT.PS1 $cert

Which will take the script called NAMEOFSCRIPT.PS1 and digitally sign it.  That’s it! 

Now you can lock down execution of Powershell scripts on that environment

SET-EXECUTIONPOLICY –ExecutionPolicy AllSigned

You now have a Server running the scripts securely.  And in such a way that that unless the scripts are signed with a certificate they can’t run automatically.

And I wasn’t kidding either.  It WAS easy!


The Energized Tech