Script signing problems, what's wrong with my cert?
5 views
Skip to first unread message
Mike Leone
Nov 3, 2025, 11:35:43 AMNov 3
to NTPowershell Mailing List
Somebody explain this to me, please. I issued myself a code signing certificate, so I could sign my scripts. :-)
Sure looks like it should be good to codesign ...
PS Z:\> $SigningCert = Get-ChildItem Cert:\CurrentUser\My\
foreach ($extension in $SigningCert.Extensions) {
Write-Host "Extension OID: $($extension.Oid.Value)"
Write-Host "Extension Value (Formatted): $($extension.Format(0))"
Write-Host "---"
}
Extension OID: 1.3.6.1.4.1.311.21.7
Extension Value (Formatted): Template=PHA Code Signing Template(1.3.6.1.4.1.311.21.8.10369535.12142142.11356553.3523258.15422597.205.6632120.7522451
), Major Version Number=100, Minor Version Number=8
---
Extension OID: 2.5.29.37
Extension Value (Formatted): Code Signing (1.3.6.1.5.5.7.3.3)
---
Extension OID: 2.5.29.15
Extension Value (Formatted): Digital Signature (80)
---
Extension OID: 1.3.6.1.4.1.311.21.10
Extension Value (Formatted): [1]Application Certificate Policy:Policy Identifier=Code Signing
---
Extension OID: 2.5.29.14
Extension Value (Formatted): 96319b2b5c6cd2df10f74396333a55a037a8b94b
---
Extension OID: 2.5.29.35
Extension Value (Formatted): KeyID=c711b116e6f595aa9f16ea5bde97db16e54dbd73
---
Extension OID: 2.5.29.31
Extension Value (Formatted): [1]CRL Distribution Point: Distribution Point Name:Full Name:URL=ldap:///CN=DCTRCERT002,CN=DCTRCERT002,CN=CDP,CN=Public
Key Services,CN=Services,CN=Configuration,DC=ads,DC=pha,DC=phila,DC=gov?certificateRevocationList?base?objectClass=cRLDistributionPoint (ldap:///CN
=DCTRCERT002,CN=DCTRCERT002,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ads,DC=pha,DC=phila,DC=gov?certificateRevocationList?b
ase?objectClass=cRLDistributionPoint), URL=http://pki.wrk.ads.pha.phila.gov/CertEnroll/DCTRCERT002.crl, URL=http://pki.wrk.ads.pha.phila.gov/crld/DC
TRCERT002.crl
---
Extension OID: 1.3.6.1.5.5.7.1.1
Extension Value (Formatted): [1]Authority Info Access: Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2), Alternative Name=URL=ldap:
///CN=DCTRCERT002,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ads,DC=pha,DC=phila,DC=gov?cACertificate?base?objectClass=certificat
ionAuthority (ldap:///CN=DCTRCERT002,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ads,DC=pha,DC=phila,DC=gov?cACertificate?base
?objectClass=certificationAuthority), [2]Authority Info Access: Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2), Alternative Name=
URL=http://pki.wrk.ads.pha.phila.gov/CertEnroll/DCTRCERT002.wrk.ads.pha.phila.gov_DCTRCERT002.crt
---
Extension OID: 2.5.29.17
Extension Value (Formatted): Other Name:Principal Name=MJL-...@wrk.ads.pha.phila.gov
---
Extension OID: 1.3.6.1.4.1.311.25.2
Extension Value (Formatted): 30 3f a0 3d 06 0a 2b 06 01 04 01 82 37 19 02 01 a0 2f 04 2d 53 2d 31 2d 35 2d 32 31 2d 31 37 33 36 38 32 39 39 37 2d 31
30 35 36 38 36 35 33 34 36 2d 33 32 34 36 31 38 32 30 37 2d 33 38 31 36 31
---
PS Z:\>
Write-Host "Extension OID: $($extension.Oid.Value)"
Write-Host "Extension Value (Formatted): $($extension.Format(0))"
Write-Host "---"
}
Extension OID: 1.3.6.1.4.1.311.21.7
Extension Value (Formatted): Template=PHA Code Signing Template(1.3.6.1.4.1.311.21.8.10369535.12142142.11356553.3523258.15422597.205.6632120.7522451
), Major Version Number=100, Minor Version Number=8
---
Extension OID: 2.5.29.37
Extension Value (Formatted): Code Signing (1.3.6.1.5.5.7.3.3)
---
Extension OID: 2.5.29.15
Extension Value (Formatted): Digital Signature (80)
---
Extension OID: 1.3.6.1.4.1.311.21.10
Extension Value (Formatted): [1]Application Certificate Policy:Policy Identifier=Code Signing
---
Extension OID: 2.5.29.14
Extension Value (Formatted): 96319b2b5c6cd2df10f74396333a55a037a8b94b
---
Extension OID: 2.5.29.35
Extension Value (Formatted): KeyID=c711b116e6f595aa9f16ea5bde97db16e54dbd73
---
Extension OID: 2.5.29.31
Extension Value (Formatted): [1]CRL Distribution Point: Distribution Point Name:Full Name:URL=ldap:///CN=DCTRCERT002,CN=DCTRCERT002,CN=CDP,CN=Public
Key Services,CN=Services,CN=Configuration,DC=ads,DC=pha,DC=phila,DC=gov?certificateRevocationList?base?objectClass=cRLDistributionPoint (ldap:///CN
=DCTRCERT002,CN=DCTRCERT002,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ads,DC=pha,DC=phila,DC=gov?certificateRevocationList?b
ase?objectClass=cRLDistributionPoint), URL=http://pki.wrk.ads.pha.phila.gov/CertEnroll/DCTRCERT002.crl, URL=http://pki.wrk.ads.pha.phila.gov/crld/DC
TRCERT002.crl
---
Extension OID: 1.3.6.1.5.5.7.1.1
Extension Value (Formatted): [1]Authority Info Access: Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2), Alternative Name=URL=ldap:
///CN=DCTRCERT002,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ads,DC=pha,DC=phila,DC=gov?cACertificate?base?objectClass=certificat
ionAuthority (ldap:///CN=DCTRCERT002,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ads,DC=pha,DC=phila,DC=gov?cACertificate?base
?objectClass=certificationAuthority), [2]Authority Info Access: Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2), Alternative Name=
URL=http://pki.wrk.ads.pha.phila.gov/CertEnroll/DCTRCERT002.wrk.ads.pha.phila.gov_DCTRCERT002.crt
---
Extension OID: 2.5.29.17
Extension Value (Formatted): Other Name:Principal Name=MJL-...@wrk.ads.pha.phila.gov
---
Extension OID: 1.3.6.1.4.1.311.25.2
Extension Value (Formatted): 30 3f a0 3d 06 0a 2b 06 01 04 01 82 37 19 02 01 a0 2f 04 2d 53 2d 31 2d 35 2d 32 31 2d 31 37 33 36 38 32 39 39 37 2d 31
30 35 36 38 36 35 33 34 36 2d 33 32 34 36 31 38 32 30 37 2d 33 38 31 36 31
---
PS Z:\>
BUT:
$SigningCert = Get-ChildItem Cert:\CurrentUser\My\
$FileName = "\\DC1FIL020\netadmin\software\PHA Scripts\DNS\Backup-All-DNS-Zones.PS1"
Set-AuthenticodeSignature -FilePath $FileName -Certificate $SigningCert
$FileName = "\\DC1FIL020\netadmin\software\PHA Scripts\DNS\Backup-All-DNS-Zones.PS1"
Set-AuthenticodeSignature -FilePath $FileName -Certificate $SigningCert
PS O:\software\PHA Scripts> .\Set-signing-certificate.PS1
Set-AuthenticodeSignature : Cannot sign code. The specified certificate is not suitable for code signing.
At O:\software\PHA Scripts\Set-signing-certificate.PS1:3 char:1
+ Set-AuthenticodeSignature -FilePath $FileName -Certificate $SigningC ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Set-AuthenticodeSignature], PSArgumentException
+ FullyQualifiedErrorId : Argument,Microsoft.PowerShell.Commands.SetAuthenticodeSignatureCommand
Set-AuthenticodeSignature : Cannot sign code. The specified certificate is not suitable for code signing.
At O:\software\PHA Scripts\Set-signing-certificate.PS1:3 char:1
+ Set-AuthenticodeSignature -FilePath $FileName -Certificate $SigningC ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Set-AuthenticodeSignature], PSArgumentException
+ FullyQualifiedErrorId : Argument,Microsoft.PowerShell.Commands.SetAuthenticodeSignatureCommand
What am I misunderstanding here? Why isn't this cert suitable for code signing? Did I screw up the code signing template, when I duplicated it?
(BTW, I imported the script to my personal store, and also into Trusted Publishers)
Mike. Leone, <mailto:tur...@mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
Mike Leone
Nov 3, 2025, 12:31:32 PMNov 3
to NTPowershell Mailing List
Now it seems to be working ... I'm wondering if it was pulling the wrong cert, my regular user cert, rather than the one I issued for code signing.
But I made a whole new code signing template, issued me a new cert, imported it. This time I made sure to read it by thumbprint, to make sure I got the right script:
--------------
$SigningCert = Get-ChildItem Cert:\CurrentUser\My\ | Where-Object {$_.Thumbprint -eq "bc1d28c989244a36777aa3ef33515345da2bc173"}
$SigningCert
$SigningCert
foreach ($extension in $SigningCert.Extensions) {
Write-Host "Extension OID: $($extension.Oid.Value)"
Write-Host "Extension Value (Formatted): $($extension.Format(0))"
Write-Host "---"
}
$FileName = "\\DC1FIL020\netadmin\software\PHA Scripts\DNS\Backup-All-DNS-Zones.PS1"
Set-AuthenticodeSignature -FilePath $FileName -Certificate $SigningCert
Set-AuthenticodeSignature -FilePath $FileName -Certificate $SigningCert
------------------
Then it worked ...
SignerCertificate : [Subject]
CN=(Privileged) Michael Leone, OU=Priv_ISM, OU=Privileged_Accounts, OU=ISM, DC=wrk, DC=ads, DC=pha, DC=phila, DC=gov
[Issuer]
CN=DCTRCERT002
[Serial Number]
15000001078E264E2001D9DEF9000000000107
[Not Before]
11/3/2025 11:49:54 AM
[Not After]
11/2/2030 12:49:54 PM
[Thumbprint]
BC1D28C989244A36777AA3EF33515345DA2BC173
TimeStamperCertificate :
Status : Valid
StatusMessage : Signature verified.
Path : \\DC1FIL020\netadmin\software\PHA Scripts\DNS\Backup-All-DNS-Zones.PS1
SignatureType : Authenticode
IsOSBinary : False
CN=(Privileged) Michael Leone, OU=Priv_ISM, OU=Privileged_Accounts, OU=ISM, DC=wrk, DC=ads, DC=pha, DC=phila, DC=gov
[Issuer]
CN=DCTRCERT002
[Serial Number]
15000001078E264E2001D9DEF9000000000107
[Not Before]
11/3/2025 11:49:54 AM
[Not After]
11/2/2030 12:49:54 PM
[Thumbprint]
BC1D28C989244A36777AA3EF33515345DA2BC173
TimeStamperCertificate :
Status : Valid
StatusMessage : Signature verified.
Path : \\DC1FIL020\netadmin\software\PHA Scripts\DNS\Backup-All-DNS-Zones.PS1
SignatureType : Authenticode
IsOSBinary : False
And I see the signature in the script file.
Now weirdly, that worked on my Win 11 workstation, but did NOT work when I tried to run the signing script on a Win 2019 server that I want to execute the script from .
But my script is signed, at least, which is mostly what I needed ...
If anyone has a hint as to why it works on my Win 11 workstation, and not my Win 2019 script host, I'm all ears ...
Thanks
Michael B. Smith
Nov 3, 2025, 12:38:00 PMNov 3
to ntpowe...@googlegroups.com
Yeah, I was about to suggest that $SigningCert was a collection instead of a single certificate.
$SigningCert.Gettype().Fullname will tell you that.
Generally, signing certificates are stored as PFX files.
This seems to cover all the required steps: https://patchmypc.com/kb/how-generate-code-signing-certificate/
I’d guess, on the 2019 vs. Win11 issue, you have incompatible ciphers.
--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntpowershell...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2Bj82_4bPZgeadkB1LRnW%2BD4g5AR8BR1tB9o0fy%3D4SUfpw%40mail.gmail.com.
Mike Leone
Nov 3, 2025, 12:55:13 PMNov 3
to ntpowe...@googlegroups.com
On Mon, Nov 3, 2025 at 12:38 PM Michael B. Smith <mic...@smithcons.com> wrote:
Yeah, I was about to suggest that $SigningCert was a collection instead of a single certificate.
$SigningCert.Gettype().Fullname will tell you that.
It still fails on the 2019, even if I specify which cert I want by thumbprint, so there's only 1 cert being loaded, not a collection.
Generally, signing certificates are stored as PFX files.
Oh? Didn't know that. Since I used the cert myself from internal CA, it just ended up in my personal store, no need to import a file.
This seems to cover all the required steps: https://patchmypc.com/kb/how-generate-code-signing-certificate/
Yeah, that's the page I was following, when I rebuilt my code signing cert ..
Yeah, on my Win 11, even the original cert I was trying to sign with can sign. I thought I had created it correctly!
I loaded it by thumbprint ...
So it must be something with the 2019 ..
I’d guess, on the 2019 vs. Win11 issue, you have incompatible ciphers.
Wonder how that could happen ... how do you correct that? I mean, I *should* be signing the certs from my priv workstation, and just executing on the 2019. But how do I make the ciphers match, then?
Michael B. Smith
Nov 3, 2025, 3:27:50 PMNov 3
to ntpowe...@googlegroups.com
Do you get the same error?
What OS is your CA running?
--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntpowershell...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2Bj_nx-whKS0T8dVbQ-MjDbD1kGi18LYQwujSAqrr%3D%2BEdQ%40mail.gmail.com.
Mike Leone
Nov 3, 2025, 3:30:06 PMNov 3
to ntpowe...@googlegroups.com
The root CA is a Linux box, mostly offline. The intermediate CA is what we use to issue all certs, and it is Win 2016.
To view this discussion visit https://groups.google.com/d/msgid/ntpowershell/3c5a572beb87441ead5cb7aabe83bbee%40smithcons.com.
Michael B. Smith
Nov 3, 2025, 3:43:55 PMNov 3
to ntpowe...@googlegroups.com
Do you get the same error?
To view this discussion visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BjvjDEs8RvJTW4cVMe9LsOO_LeaCOFozQRcyL%3DdYHNdJg%40mail.gmail.com.
Mike Leone
Nov 3, 2025, 3:46:35 PMNov 3
to ntpowe...@googlegroups.com
On Mon, Nov 3, 2025 at 3:43 PM Michael B. Smith <mic...@smithcons.com> wrote:
Do you get the same error?
What same error? Same as what?
As I say, I can't sign a script if I log into the WIn 2019 host. But I can sign a script if I log into Win 11. Win 2019 just says "Set-AuthenticodeSignature : Cannot sign code. The specified certificate is not suitable for code signing.".
Using the same account, same cert (loaded into the same stores on both).
To view this discussion visit https://groups.google.com/d/msgid/ntpowershell/3fa3ce4aecfc4b75a385d09a6109ad4e%40smithcons.com.
Reply all
Reply to author
Forward
0 new messages