I’m new to certs, but i have been following this guide, using makecert.exe of course.
with the guide i have successfully created a certificate under “certificates - current user\trusted root certification authorities”
and under “certificates - current user\Personal\Certificates”… i then used the following to sign my script successfully and was able to execute it as a signed script on the win2012R2 server i created the cert on, that had execution policy set to “Allsigned”
i then followed the same guide and exported the .cer from “certificates - current user\trusted root certification authorities” and copy it over to another windows 7 host. attempted to import the .cer file with no issues at all. execution policy set to “Allsigned” over here as well.
when i copy the test.ps1 that is signed over tot he win7 host and try and execute it i get the following error:
File C:\Users\admin\Desktop\test.ps1 cannot be
loaded. A certificate chain could not be built to a trusted root authority.
+ CategoryInfo : SecurityError: (:) [], ParentContainsErrorRecord
Exception
+ FullyQualifiedErrorId : UnauthorizedAccess
Am i missing something here or is there a better method for me to create my own cert , sign my own ps1 scripts, and move both to another host windows 7 and have the signed script run there? any help or suggestions appreciated.
Hi John,
Have you verified that the root certificate was actually imported to Trusted Root?
I find that I often have to specify the specific store, rather than trusting windows to figure it out based on the certificate.
i have been bouncing between other things, i went to re-visit this, and now i can’t even execute my script on the win2012r2 server where i originally created the cert WITHOUT getting prompted to V run never/D do not run / R run once / A always run . i think i might have had pshell set to unrestricted before when testing. below is results of testing for the cert and my ps1 file that was signed. again i checked and my cert is visible in “certificates-current user\Trusted Root Certification Authorities\Certificates” also in “certificates-current user\Personal Certificates”, and “Certificates (local computer)\Trusted Root Certification Authorities\Certificates”… i thought if i had a cert locally setup fine, then signed it appropriately as i mentioned , then with Execution-Policy set to AllSigned, i shouldn’t get prompted like i am above to choose a run method ? i know when i set execution-policy to Remotesigned, my signed script runs and i don’t get the prompt.