How to Sign PowerShell Scripts, Part 1
This guide explains everything you need to do to sign PowerShell scripts. In Part One, you will learn to deploy an enterprise certificate authority on Windows Server.
July 7, 2022
PowerShell execution policies exist to prevent you from accidentally running a script that is untrustworthy. The AllSigned policy, for example, prevents a script from running unless it has been digitally signed.
The easiest way to sign a PowerShell script is to use a self-signed certificate. You can create such a certificate by using the New-SelfSignedCertificate cmdlet. However, best practices have long advised against using self-signed certificates in production environments.
That being the case, I want to show you how to deploy an enterprise certificate authority (CA) on Windows Server, acquire a certificate from that CA, and then use the certificate to sign a PowerShell script.
Table of Contents
Part 1: Deploy an Enterprise CA on Windows Server
Let’s get started.
How To Set up the Certificate Authority
For the purposes of this article, I am assuming that you have a domain-joined Windows Server (with the Desktop Experience enabled) that can act as a CA. I am going to set up the CA using the GUI (as opposed to PowerShell) just for the sake of simplicity.
To set up the CA, open the Server Manager, then select Add Roles and Features from the Manage menu. When the Add Roles and Features wizard begins, repeatedly click Next to accept the defaults until you get to the Server Roles screen. When you reach Server Roles, select the Active Directory Certificate Services role, shown in Figure 1. Click the Add Features button to install the various dependency features.
PowerShell Signing 1-1
Figure 1. Install the Active Directory Certificate Services role.
Now click Next several times until you reach the Select Role Services screen. Make sure that the Certification Authority checkbox is selected. You will also need to select the Certification Authority Web Enrollment checkbox. When prompted, click Add Features, then click Next several times, followed by Install. When the installation process finished, click Close.
After the process has finished, you will be returned to the main Server Manager screen. Click on the Alert icon, which will show you need Post-deployment Configuration, as shown in Figure 2. Click on the Configure Active Directory Certificate Services link to begin this process.
PowerShell Signing 1-2
Figure 2. Click the Configure Active Directory Certificate Services link.
At this point, Windows will launch the Active Directory Certificate Services Configuration wizard. Click Next to bypass the Welcome screen. You will now be taken to a screen that asks which roles you want to configure. Select the Certification Authority and the Certification Authority Web Enrollment checkboxes, then click Next.
When prompted, choose Enterprise CA as the Setup type and click Next. You will then be asked to specify the type of CA that you are creating. Choose the Root CA option and click Next. Now choose the option to create a new private key, followed by Next.
You can click Next on the next several screens to accept the default values. However, if you are deploying a CA in a production environment, you should take a moment to consider whether the default values are appropriate for your organization. As you work through the process, make sure to note the CA’s friendly name. For the purposes of this guide, I will be using the name PoseyLab-CA.
When you reach the end of the wizard, click the Configure button. Windows will configure the certificate authority and then display a message like the one shown in Figure 3, indicating that the configuration process was successful.
PowerShell Signing 1-3
Figure 3. The configuration process was successful.
Now that the certificate authority is set up, we can move on to the next step, which is to acquire a certificate that can be used to sign a PowerShell script. I will show you how to do that in Part Two.
In the meantime, review the firewall rules on your CA to ensure they allow web traffic. Otherwise, you won’t be able to use the web interface to download the required certificate.
About the Author
You May Also Like