Trusted Publisher - Code Signing Certificate

Steve 1 Reputation point
2022-09-03T19:43:30.16+00:00

I am working on trying out code signing on my test environment and have now created a certificate template on my CA that I can request with my user.

The certificate expires after one year, but in my Powershell script I give a timestamp server when signing. So the signed script should work even after one year.

But I noticed that when I start the script, I always get the message that it was not signed by a trusted publisher.

So I have exported the certificate on the client and created a GPO, which imports the certificate on all clients as Trusted Publisher.

Now the script works without any message.

But now the problem is that when 1 year has passed, the certificate on my client expires and I have to request a new one from the CA so that I can sign more scripts.

This means that the new certificate is no longer from a trusted publisher and I have to import one more certificate via GPO under Trusted Publisher. This means that more and more certificates are added and I can't delete the old ones, because otherwise the old signed scripts won't work anymore.

Can I stop the trusted publisher message without having to re-import all code signing certificates every year?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,733 questions
Windows Hardware Performance
Windows Hardware Performance
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Hardware Performance: Delivering / providing hardware or hardware systems or adjusting / adapting hardware or hardware systems.
1,552 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,390 questions
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Steve 1 Reputation point
    2023-01-04T13:03:23.473+00:00

    After much consideration and testing, I came up with the following approach:

    I created a service account and gave only this account the right to request a signing certificate. I did this on a test client and exported the certificate as .cer and .pfx (with private key and +16 digit password).
    The .cert I added via GPO on all clients as "Trusted Publisher" and the .pfx file I put on a network drive folder where only the CodeSign users have access.

    Now I have written a Powershell script, with which the CodeSign users can simply sign a script via drag & drop box. The script also imports the certificate when it starts and deletes it from the client after closing the script.

    Additional info:
    The certificate is valid for 1 year (so I will renew it every year).
    The already signed scripts remain valid after one year, thanks to a public timestamp server.

    Thanks for your many helpful answers.
    If you have any suggestions for improving the process, feel free to share them.