header
header Register : : Login header
header
divider
menuleft
menuright
submenu
left

[August 25th, 2008] Check the home page regarding PowerShell related news from a brand new sponsor: Idera
Unanswered Active Topics Forums Search Members
Forums > Using PowerShell > General PowerShell
Security Certificate Type
Last Post 17 Jan 2008 08:50 PM by kscriss. 6 Replies.
Printer Friendly
Sort:
PrevPrev NextNext
You are not authorized to post a reply.
Author Messages
slkissingerUser is Offline
New Member
New Member
Posts:2
Avatar

--
07 Dec 2007 04:52 PM  

Our team is attempting to correctly design the Powershell environment prior to allowing Powershell to be deployed to any company workstations.   To that end, I've asked our security team to provide us with a security certificate to 1) deploy to workstations via GPO 2) use to sign any company-blessed or created PS scripts using PrimalScript.

The security team asked "what type" of certificate.  The only answer I was able to supply was "PrimalScript is looking for a certificate that ends in .pfx"; which apparently was not a sufficient answer.  I am unfortunately not a security / certificate person; so I'm not sure what the Security Team is asking.  I've checked a few online sources; Googled, etc.; but have been unable to find a answer to the question of "What type" of certificate; just that it should be a security certificate signed by a trusted source.

Can anyone answer that question for me?

Thanks!
bsonposhUser is Offline
Basic Member
Basic Member
Posts:393
Avatar

--
07 Dec 2007 05:12 PM  
What you need is a software signing script, but this does not need to be deployed to all your workstations. Your workstations just need to trust the CA that issues the signing cert.
Brandon Shell
----------------
Microsoft Powershell MVP
https://mvp.support.microsoft.com/profile/Brandon
Blog: http://www.bsonposh.com
bsonposhUser is Offline
Basic Member
Basic Member
Posts:393
Avatar

--
07 Dec 2007 05:12 PM  
er... not software signing script but software signing certificate
Brandon Shell
----------------
Microsoft Powershell MVP
https://mvp.support.microsoft.com/profile/Brandon
Blog: http://www.bsonposh.com
slkissingerUser is Offline
New Member
New Member
Posts:2
Avatar

--
07 Dec 2007 06:27 PM  
Thanks for the clarification.  I'll supply this information to our Security team.
DonJUser is Offline
PowerShell MVP
Basic Member
Basic Member
Posts:134
Avatar

--
10 Dec 2007 03:52 PM  
More specifically, a Class III Authenticode-type code-signing certificate (if you security team is still wondering). It needs to be INSTALLED in order for PowerShell (or PrimalScript) to use it, not just resident in a PFX file; if you have a PFX file, you can usually double-click it to have Windows begin certificate installation on your computer.

For PowerShell, I believe PrimalScript actually needs the path to the certificate on the PowerShell CERT: drive - post in SAPIEN's support forums once you get your cert, if you have trouble configuring it.
- Don Jones
www.ConcentratedTech.com
Subscribe (RSS) or visit for weekly PowerShell tips and lessons
kscrissUser is Offline
Basic Member
Basic Member
Posts:119

--
28 Dec 2007 09:34 PM  

I use a free software signing digital certificate that was issued by my enterprise's internal CA authority and it works great.  I don't have a software signing certificate issued by a certificate authority such as Verisign or Thawte, but I'm sure these are availble for a price.

However, concerning my internally generated software signing digital certificate; since my team leader elected not to install that certificate into our enterprise's trusted store of certicates that is located on our domain controllers.  sniff sniff :(  This means while I can still use the certificate he issued to me to sign scripts; and run those scripts on any workstation or server where Powershell is installed I must first train that workstation or server (one time only) to trust my software signing digital certificate.

But if my software signing certificate would have been moved into the enterprises trusted store of certificates after it was generated; I would not have to go through this manual trusting step.

I think that is the answer to the question you were asking.

P.S. I would deploy Powershell with an "AllSigned" execution policy.
My blog: http://blogs.powershellcentral.com/kscriss/
kscrissUser is Offline
Basic Member
Basic Member
Posts:119

--
17 Jan 2008 08:50 PM  
I forgot to add: If you don't have your code signing certificate installed to your enterprise's trusted store, your code-signing certifidcate will still work, you do have to manually one time only establish that trust relationship on each server or workstation you wish to run your scripts on, and additionally that manual trust establishing relationship I described has to be established one-time-only for each ACCOUNT credential that script is running under on as well.

This means if your running the script via your account and you established the trust relationship, and then some on else signs on to that machine and wished to run your script, they to must make a trust decision about your code signing certificate.

However if your code-signing certificate gets installed to the right place in the enterprise, the trust/not-trust decision will be automatic and you can forget about everything I just said.
My blog: http://blogs.powershellcentral.com/kscriss/
You are not authorized to post a reply.
Forums > Using PowerShell > General PowerShell
Active Forums 4.1
right
   
footer Sponsored by Quest Software • SAPIEN Technologies • ShellTools, LLC • Microsoft Windows Server 2008 footer
footer