using self-signed cert between 2 hosts but get certificate chain error

I’m new to certs, but i have been following this guide, using makecert.exe of course.

with the guide i have successfully created a certificate under “certificates - current user\trusted root certification authorities”
and under “certificates - current user\Personal\Certificates”… i then used the following to sign my script successfully and was able to execute it as a signed script on the win2012R2 server i created the cert on, that had execution policy set to “Allsigned”

Get-ChildItem cert:\CurrentUser\My -codesign
Set-AuthenticodeSignature "C:\Users\admin\Desktop\test.ps1" @(Get-ChildItem cert:\CurrentUser\My -codesign)[0]

i then followed the same guide and exported the .cer from “certificates - current user\trusted root certification authorities” and copy it over to another windows 7 host. attempted to import the .cer file with no issues at all. execution policy set to “Allsigned” over here as well.

when i copy the test.ps1 that is signed over tot he win7 host and try and execute it i get the following error:

File C:\Users\admin\Desktop\test.ps1 cannot be
loaded. A certificate chain could not be built to a trusted root authority.
    + CategoryInfo          : SecurityError: (:) [], ParentContainsErrorRecord
    + FullyQualifiedErrorId : UnauthorizedAccess

Am i missing something here or is there a better method for me to create my own cert , sign my own ps1 scripts, and move both to another host windows 7 and have the signed script run there? any help or suggestions appreciated.

Hi John,
Have you verified that the root certificate was actually imported to Trusted Root?
I find that I often have to specify the specific store, rather than trusting windows to figure it out based on the certificate.


i have been bouncing between other things, i went to re-visit this, and now i can’t even execute my script on the win2012r2 server where i originally created the cert WITHOUT getting prompted to V run never/D do not run / R run once / A always run . i think i might have had pshell set to unrestricted before when testing. below is results of testing for the cert and my ps1 file that was signed. again i checked and my cert is visible in “certificates-current user\Trusted Root Certification Authorities\Certificates” also in “certificates-current user\Personal Certificates”, and “Certificates (local computer)\Trusted Root Certification Authorities\Certificates”… i thought if i had a cert locally setup fine, then signed it appropriately as i mentioned , then with Execution-Policy set to AllSigned, i shouldn’t get prompted like i am above to choose a run method ? i know when i set execution-policy to Remotesigned, my signed script runs and i don’t get the prompt.

PS C:\Users\admin> dir Cert:\CurrentUser\My -CodeSigningCert

    Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject

----------                                -------

3F27C85388B304DAE8C198333A3D7D281EB70935  CN=get_test PowerShell

PS C:\Users\admin> Get-AuthenticodeSignature C:\Users\admin\Desktop\test\test.ps1 | ft -AutoSize

    Directory: C:\Users\admin\Desktop\test

SignerCertificate                        Status Path

-----------------                        ------ ----

3F27C85388B304DAE8C198333A3D7D281EB70935 Valid  test.ps1