How to Manage Internal Code Signing Certificates in Windows?

By
William Rossbach
-
0
7
Asked By TechWiseGiraffe42 On

I have a private PKI setup for our enterprise, and I've generated a code signing certificate from it. However, I'm facing a challenge getting this certificate into the "Trusted Publisher" store on Windows. Having only the intermediate and root CA certificates doesn't seem to cut it. Although I'm not seeing any specific errors, I'm constantly prompted by PowerShell that it's a certificate signed by our enterprise PKI, asking if I want to allow it to execute the scripts. I don't include the trust chain in the certificate, but the intermediate and root certificates are correctly placed in their respective stores. I do make sure to timestamp my signed artifacts. I'm wondering why this happens, and I'd love to hear how others manage their private code signing processes. Also, am I really expected to push the signing certificate to the Trusted Publisher store every 15 months? I get that public code signing is an option to bypass these issues, but we're required to stick with internal code signing for now.

4 Answers

Answered By AdminAce On

What I do is push the public cert to the "Trusted Publisher" through a Microsoft AD group policy, which helps automate the process across endpoints. There are various ways to handle this, like using a script or an installer. You really should be pushing the cert every time it expires to avoid interruptions.

Answered By Explorer22 On

You didn't mention the specific error you're seeing. Recently, there was an interesting discussion related to this topic that might provide additional insights, even if it was on another platform. Just make sure you're compliant with all requirements to avoid issues!

Answered By ScriptingSage99 On

We've switched to Azure Signing, and it really has simplified things for us. We just rely on the publicly trusted certificate it signs with, which eliminates a lot of headaches. If we ever need to distribute an internal tool, we just make sure everything is clean and ready to go before sending it out.

Answered By CertMaster3000 On

If the certificate isn't in Trusted Publishers, it usually leads to execution blocks, prompting users to confirm every script run. You mentioned you don't include the trust chain; that could be part of the issue. Including all parts of your trust chain is crucial for the system to recognize the certificate properly.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.