I'm trying to figure out how to get my PowerShell scripts signed. What do I need in terms of certificates? Do I have to set up something special with Active Directory or PKI? Also, am I looking at purchasing commercial certificates for this?
4 Answers
Don't forget about Azure Trusted Signing! It's worth checking out if you're finding it hard to get .PFX files for your code-signing certificates. Just read up on their documentation for details.
Keep in mind that if you're using your own PKI, your scripts won't be timestamped, making them invalid once the certificate expires. Using a public CA allows you to take advantage of timestamping, keeping your signature valid even after expiration.
To sign your scripts, you'll need a code-signing certificate. You have a few options depending on your needs:
- If your scripts will only be used within your organization, using a code-signing certificate from your Active Directory (AD) and on-premises PKI is a good route.
- For scripts you plan to share publicly, a commercial certificate is definitely the way to go.
- Alternatively, you can create a self-signed certificate, but this is not recommended as it has limited scope and is usually regarded as less secure. Just remember, a self-signed cert won't be trusted by others without extra steps.
Running your own on-prem PKI is actually pretty useful if it matches your scripting scope. But for smaller setups, you might wanna consider simpler certificate generation tools like mkcert.
Oh, another question for those in the know: do I need to refresh my certificates periodically? I hope it’s okay to ask this here!
Yes, renewing your certificates is normal practice. Public certificates generally require renewal every three years or less, while private PKI certs can often go longer.
Does anyone know what the costs are for Azure Trusted Signing? I couldn’t find it on their pricing page.