Trusted Publisher - Code Signing Certificate

Steve 1 Reputation point
2022-09-03T19:43:30.16+00:00

I am working on trying out code signing on my test environment and have now created a certificate template on my CA that I can request with my user.

The certificate expires after one year, but in my Powershell script I give a timestamp server when signing. So the signed script should work even after one year.

But I noticed that when I start the script, I always get the message that it was not signed by a trusted publisher.

So I have exported the certificate on the client and created a GPO, which imports the certificate on all clients as Trusted Publisher.

Now the script works without any message.

But now the problem is that when 1 year has passed, the certificate on my client expires and I have to request a new one from the CA so that I can sign more scripts.

This means that the new certificate is no longer from a trusted publisher and I have to import one more certificate via GPO under Trusted Publisher. This means that more and more certificates are added and I can't delete the old ones, because otherwise the old signed scripts won't work anymore.

Can I stop the trusted publisher message without having to re-import all code signing certificates every year?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,900 questions
Windows Hardware Performance
Windows Hardware Performance
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Hardware Performance: Delivering / providing hardware or hardware systems or adjusting / adapting hardware or hardware systems.
1,664 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,621 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. Steve 1 Reputation point
    2023-01-04T13:03:23.473+00:00

    After much consideration and testing, I came up with the following approach:

    I created a service account and gave only this account the right to request a signing certificate. I did this on a test client and exported the certificate as .cer and .pfx (with private key and +16 digit password).
    The .cert I added via GPO on all clients as "Trusted Publisher" and the .pfx file I put on a network drive folder where only the CodeSign users have access.

    Now I have written a Powershell script, with which the CodeSign users can simply sign a script via drag & drop box. The script also imports the certificate when it starts and deletes it from the client after closing the script.

    Additional info:
    The certificate is valid for 1 year (so I will renew it every year).
    The already signed scripts remain valid after one year, thanks to a public timestamp server.

    Thanks for your many helpful answers.
    If you have any suggestions for improving the process, feel free to share them.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.