How to sign PowerShell scripts, part 1

PowerShell execution policies exist to prevent you from accidentally running an untrusted script. The AllSigned policy, for example, prevents a script from running if it has not been digitally signed.

The easiest way to sign a PowerShell script is to use a self-signed certificate. You can create such a certificate using the New-SelfSignedCertificate cmdlet. However, best practices have long discouraged the use of self-signed certificates in production environments.

That being the case, I want to show you how to deploy an enterprise Certificate Authority (CA) on Windows Server, acquire a certificate from that CA, and then use the certificate to sign a PowerShell script.


Let’s start.

How to configure the certificate authority

For the purposes of this article, I’m assuming you have a domain-joined Windows server (with the desktop experience enabled) that can act as a CA. I’m going to configure the CA using the GUI (as opposed to PowerShell) just for simplicity.

To configure the CA, open Server Manager, then select Add Roles and Features from the Manage menu. When the Add Roles and Features wizard starts, click Next repeatedly to accept the defaults until you get to the Server Roles screen. When you reach Server Roles, select the Active Directory Certificate Services role, shown in Figure 1. Click the Add Features button to install the various dependency features.

Brian Posey

Figure 1. Install the Active Directory Certificate Services role.

Now click Next multiple times until you reach the Select Role Services screen. Make sure the Certification Authority box is checked. You will also need to check the Certificate Authority Web Enrollment box. When prompted, click Add Features, then Next several times, then Install. When the installation process is complete, click Close.

Once the process is complete, you will be returned to the main Server Manager screen. Click the Alert icon, which will indicate that you need post-deployment configuration, as shown in Figure 2. Click the Configure Active Directory Certificate Services link to begin this process.

Brian PoseyScreenshot of the Post-Deployment Configuration window and Configure Active Directory Certificate Services link.

Figure 2. Click the Configure Active Directory Certificate Services link.

At this point, Windows will launch the Active Directory Certificate Services Setup Wizard. Click Next to skip the welcome screen. You will now be taken to a screen that asks you which roles you want to configure. Check the Certification Authority and Certification Authority Web Enrollment boxes, and then click Next.

When prompted, choose Enterprise CA as the installation type and click Next. You will then be asked to specify the type of CA you are creating. Choose the Root CA option and click Next. Now choose the option to create a new private key, followed by Next.

You can click Next on subsequent screens to accept the defaults. However, if you are deploying a CA in a production environment, you should take a moment to determine if the defaults are right for your organization. During the process, be sure to note the friendly name of the CA. For the purposes of this guide, I will use the name PoseyLab-CA.

When you reach the end of the wizard, click the Configure button. Windows will configure the CA and then display a message like the one shown in Figure 3 indicating that the configuration process was successful.

Brian PoseyThe screenshot shows that the CA and CA Web Enrollment configurations are successful

Picture 3. The configuration process was successful.

Now that the CA is configured, we can move on to the next step, which is to acquire a certificate that can be used to sign a PowerShell script. I’ll show you how to do that in part two.

In the meantime, review firewall rules on your CA to make sure they allow web traffic. Otherwise, you will not be able to use the web interface to upload the required certificate.

Comments are closed.