How to trust a certificate in Windows Powershell - powershell

I am using Windows 7, and want to run signed scripts from Powershell, the security-settings of Powershell are set to "all-signed", and my scripts are signed with a valid certificate from my company. I have also added the .pfx-file to my local certificate store (right-clicked the pfx-file and installed).
However, when I start a signed script, I get a message that says:
"Do you want to run software from this untrusted publisher?
File Z:\Powershell Signed Scripts\signed.ps1 is published by CN=[MyCompanyName] and is not trusted on your system. Only run scripts from
trusted publishers.
[V] Never run [D] Do not run [R] Run once [A] Always run [?] Help
(default is "D"):"
Since I want to automatically call these scripts on my systems, I would like to add my imported certificate to the trusted list on my system, so that I do not get a message anymore when I run a signed script for the first time. How can I make my certificate a trusted one?

How to trust a certificate in Windows Powershell
Indeed, you can do this without any mmc :)
First, check the location of your personal certificate named for example "Power" :
Get-ChildItem -Recurse cert:\CurrentUser\ |where {$_ -Match "Power"} | Select PSParentPath,Subject,Issuer,HasPrivateKey |ft -AutoSize
(This one should be empty:)
gci cert:\CurrentUser\TrustedPublisher
Build the command with the path to your certificate:
$cert = Get-ChildItem Certificate::CurrentUser\My\ABLALAH
Next work on certificate store (Here I work on two certificate store : user & computer)
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store "TrustedPublisher","LocalMachine"
$store.Open("ReadWrite")
$store.Add($cert)
$store.Close()
Check, you should find your certificate :
ls cert:\CurrentUser\TrustedPublisher

Sounds like you need to verify that the script is signed properly and that you have the correct certificate installed in the correct certificate store.
Use the Get-AuthenticodeSignature cmdlet to get information about the signed script.
Also review Scott's guide for signing certificates.

Related

Powershell command for importing Certificates to the "UNTRUSTED CERTIFICATES\CERTIFICATES" location

The command I'm using that is working perfectly for the "Trusted Root Certification Authorities\Certificates is:
$file = (Get-Childitem -Path "D:/Root CA 2.cer")
$file = Import-Certificate -CertStoreLocation cert:\LocalMachine\Root
When it comes to the 6 different certs that need to be imported to the "Trusted Root Certification Authorities" this command works perfectly. Root CA 2, 3, 4, 5, and the two different ECA Root's 2 and 4 all are placed in their location. However, when it comes to the CCEB Interoperability cert, this command also places it in the "Trusted Root Certification Authorities". The CCEB Cert is supposed to be located in the "Untrusted Certificates" location. What confuses me most is that when you use the MMC console and right click import and choose this file, it automatically knows that it's supposed to be in the "Untrusted" location. I thought that the Powershell command would produce the same result, but it doesn't. It keeps placing it in the wrong location. I'm brand new to Powershell and can't find any discussion on this topic. Please help and thank you in advance.
Powershell can use cert:\ paths to browse the certificate store like a file system. Check out the about_Certificate_provider page for more details. Each cert store's name is a little different from what you see in the MMC though.
cert:\LocalMachine\Root is the "Trusted Root Certification Authorities" store, so any certificates you import are placed there when you specify -CertStoreLocation that way
"Untrusted Certificates" is named Disallowed, so you can import like so:
Get-Item "D:\folder\BadCerts.sst" |
Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Disallowed"
Powershell can't easily display the certificate trust list (CTL) in the untrusted certs store, but can import just fine

How to I relate the signature algorithms of a Windows certificate, with the parameters for signing with SignTool?

We have a PowerShell script written years ago by someone who has moved on, to sign our ClickOnce deployments. This has worked well, until recently when the certificate expired. I'm tasked with updating the PowerShell script to incorporate the new signing certificate we recently purchased.
I put the new certificate into the Certificate store, per the instructions from the previous maintainer. I've made modifications to the PowerShell script, fixing other bugs as they've come along, but I'm at a place where I don't know how to relate the details of the certificate with the parameters for SignTool.exe. Looking at the properties of the certificate, from the Details view, I see the following relevant values:
Signature algorithm: sha384RSA
Signature hash algorithm: sha384
Thumbprint algorithm: sha1
Looking at Microsoft's SignTool documentation page for the sign command I see values used by the PowerShell such as /td and /fd, but I don't know which relates to the values displayed in the properties for the certificate. Also, I'm not certain that I need the thumbprint algorithm. According to the Microsoft page I referenced it should be used if working with multiple certificates, which the PowerShell script is not.
Here is what is currently in the PowerShell script for signing the ClickOnce app:
Get-AuthenticodeSignature *.exe,*.dll | ? Status -eq NotSigned | % Path | %{&$signtool sign /tr $timestamp /td sha384 /fd sha384 $hash $_ }
That now gives me an error of, "##[error]SignTool Error: No certificates were found that met all the given criteria."

fetching certificates with powershell

Hi I'm very new to powershell , i need to fetch only issued certificates from CA server and want to export all issued certificates to csv file by using powershell but unable to find the exact command , any help would be appreciated.
i'm using this command to fetch issued certificates, but getting all certificates, how to filter only issued certificates?
certutil -view -out "RequestID,RequesterName,RequestType,NotAfter,CommonName,CertificateTemplate,SerialNumber"
I'd recommend looking into using the PKITools module as this module includes the ability to retrieve issued certificates with ease.
You should be able to install the module by issuing the following command:
Install-Module -Name PKITools
Once the module has been installed, it should be as simple as running the below (without Format-Table if you want to work with the returned data):
Get-IssuedCertificate | Format-Table
This will give you output similar to the below:

Self-signed certificates limited to a host?

I am generating self-signed .pfx certificates for a java application running on a couple of Windows servers. These certificates will be imported into their respective java keystores.
My question is: Can I generate a self-signed certificates for server2, server3 and server4 on server1? Is there anything in a certificate, apart from the dns name, that would bind it to the machine on which it was generated?
My concern is that if I generate the certificate for server2 on server1, the certificate will still be somehow bound to server 1 only.
I am using the following powershell script to generate the certificates:
$cert = New-SelfSignedCertificate -keyfriendlyname server1 -certstorelocation cert:\localmachine\my -dnsname server1.mydomain.com
Export-PfxCertificate -cert ‘cert:\localMachine\my\’ -FilePath C:\Certificates\server1.pfx -Password dummypassword
My idea was to simplify the process of generating the certificates by running the script on a single server and just altering the dnsname, alias and file name for each certificate.
You can generate a certificate on any machine for any machine, just set the common name correctly (certificate's CN field).
See parameter -Subject of the PowerShell command
Note that moving private keys around is a bad practice, you should instead generate the key-pair on the same machine that it is to be used by.

Installing a .pfx Cert in TrustedRootCA WITH private key from command line in powershell on win7

My question is this: how would I go about installing a .pfx cert into TrustedRootCA with its private key from command line using powershell in windows 7?
I've got it to install the cert using this command: certutil -importpfx -p "mypasswordhere" "cert path location here"
The above installs it to the personal store of the local computer fine (With the private key intact) And also installs it to TRCA, only without the private key. This is my issue as the program requires the TRCA to have the private key.
but when I try to use the program that needs the cert it says : "It is likely that "My cert" may not have a private key that is capable of key exchange or the process may not have axxess rights for the private key. Please see inner exception for more detail.
However, I checked the TRCA store and verfied that my cert indeed does not have its private key.
So again my question is there anyway using powershell to automate this process on windows 7? Thanks in advance.
You can use the command
Import-PfxCertificate -FilePath C:\setup\TestCertImport.pfx -CertStoreLocation 'Cert:\LocalMachine\Root'
Root = Trusted root,
My = Local Machine Personal certificate folder
if the certificate has password you can add the -Password parameter and if you want it to be exportable the -Exportable