Create Code Signing Certificate on Windows for signing PowerShell scripts

According to this guide I tried to create a certificate for signing PowerShell scripts:

CD C:\OpenSSL-Win32\bin
REM Create the key for the Certificate Authority.  2048 is the bit encryptiong, you can set it whatever you want
openssl genrsa -out C:\Test\ca.key 2048
openssl req -config C:\OpenSSL-Win32\bin\openssl.cfg -new -x509 -days 1826 -key C:\Test\ca.key -out C:\Test\ca.crt
REM Now I'm creating the private key that will be for the actual code signing cert
openssl genrsa -out C:\Test\codesign.key 2048
openssl req -config C:\OpenSSL-Win32\bin\openssl.cfg -new -key C:\Test\codesign.key -reqexts v3_req -out C:\Test\codesign.csr
openssl x509 -req -days 1826 -in C:\Test\codesign.csr -CA C:\Test\ca.crt -CAkey C:\Test\ca.key -extfile C:\OpenSSL-Win32\bin\cnf\opensslTest.cnf -set_serial 01 -out C:\Test\codesign.crt
openssl pkcs12 -export -out C:\Test\codesign.pfx -inkey C:\Test\codesign.key -in C:\Test\codesign.crt

The following error occurs:

C:\OpenSSL-Win32\bin>openssl x509 -req -days 1826 -in C:\Test\codesign.csr -CA C:\Test\ca.crt -CAkey C:\Test\ca.key -extfile C:\OpenSSL-Win32\bin\cnf\openssl.cnf -set_serial 01 -out C:\Test\codesign.crt
Error Loading extension section default
14516:error:22097082:X509 V3 routines:do_ext_nconf:unknown extension name:crypto\x509v3\v3_conf.c:78:
14516:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto\x509v3\v3_conf.c:47:name=HOME, value=.

I used OpenSSL v1.1.0c. Every other guide I found creates certificates that are not usable for code signing.


Solution 1:

There is no need in OpenSSL on Windows. On Windows 7, you can use my own PowerShell script I published on TechNet Script Gallery: Self-signed certificate generator (PowerShell). The usage can be something like this:

New-SelfsignedCertificateEx -Subject "CN=Test Code Signing" `
-EKU "Code Signing" `
-KeySpec "Signature" `
-KeyUsage "DigitalSignature" `
-FriendlyName "Test code signing" `
-NotAfter $([datetime]::now.AddYears(5))

(very first example).

Starting with Windows 8, you can use built-in certreq.exe tool to generate the certificate. Create INF file with cert configuration, for example:

[NewRequest]
Subject = "CN=Test Code Signing"
KeyLength = 2048
KeyAlgorithm = RSA
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
MachineKeySet = false
Exportable = true
KeySpec = 2
KeyUsage = 0x80
RequestType = Cert
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.3 ; Code signing

and then run the following command:

Certreq –new path\inffilename.inf

This will generate and install the certificate to current user's certificate store.

Starting with Windows 10, you can use built-in PowerShell cmdlet as follows:

New-SelfSignedCertificate -CertStoreLocation cert:\currentuser\my `
-Subject "CN=Test Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
-KeyExportPolicy Exportable `
-KeyUsage DigitalSignature `
-Type CodeSigningCert

However, self-signed certificate usage for code signing in production environments is discouraged. You should use them in test environments only.

For private usage (within the organization only), you should check if company already owns PKI infrastructure and contact appropriate personnel to receive company-approved code signing certificate.

For public scripts (you are going to distribute along with software packages, or deliver scripts to your customers), I would suggest to purchase code signing from globally trusted commercial CA provider.