All geek questions in one place

How to create a code signing certificate using the New-SelfSignedCertificate cmdlet

PowerShell 4.0

Tool

makecert has the -eku parameter to describe the extended key object identifiers (OIDs) in the certificate. This allows you to make certificates for signing the code and for other purposes. But this is not a cmdlet.

Newer versions of PowerShell have the New-SelfSignedCertificate for testing scripts locally. But it creates a certificate that cannot be used to sign the code:

 New-SelfSignedCertificate -DnsName www.SomeSite.com -CertStoreLocation Cert:\CurrentUser\My

I do not see an option similar to -eku .

How can I set the purpose of my new self-signed certificate (created using the New-SelfSignedCertificate ) so that it can be used to sign code? Or can you do the same with another cmdlet?

+5
source share
2 answers

The version of New-SelfSignedCertificate on PS 4 is pretty simple.

However, Powershell v5 has options that you will need to create certain keys.

In particular, the Keyusage parameter, which takes

 -- CertSign -- CRLSign -- DataEncipherment -- DecipherOnly -- DigitalSiganture -- EncipherOnly -- KeyAgreement -- KeyEncipherment -- None (default) -- NonRepudiation

and a KeyUsageProperty taking

 -- All -- Decrypt -- KeyAgreement -- None (default) -- Sign

Are you specially tied to v4? If you can upgrade to v5, you can achieve what you need.

+2
source

You can use the PS certificate provider to access various certificate stores (user or machine), but this will not help with your OID problem. I suggest you look at .NET support for X509 certificates. Google ".net x509 certificate" and you will find the X509Certificate class on MSDN. From there, read the class documentation and any overview documentation to find out if OID creation is supported. If .NET does not support it, you will have to use P / Invoke to invoke the Windows CNG APIs (next generation cryptography)

0
source

Source: https://habr.com/ru/post/1241754/

More articles:


All Articles