According to this guide I tried to create a certificate for signing PowerShell scripts:
CD C:\OpenSSL-Win32\bin
REM Create the key for the Certificate Authority. 2048 is the bit encryptiong, you can set it whatever you want
openssl genrsa -out C:\Test\ca.key 2048
openssl req -config C:\OpenSSL-Win32\bin\openssl.cfg -new -x509 -days 1826 -key C:\Test\ca.key -out C:\Test\ca.crt
REM Now I'm creating the private key that will be for the actual code signing cert
openssl genrsa -out C:\Test\codesign.key 2048
openssl req -config C:\OpenSSL-Win32\bin\openssl.cfg -new -key C:\Test\codesign.key -reqexts v3_req -out C:\Test\codesign.csr
openssl x509 -req -days 1826 -in C:\Test\codesign.csr -CA C:\Test\ca.crt -CAkey C:\Test\ca.key -extfile C:\OpenSSL-Win32\bin\cnf\opensslTest.cnf -set_serial 01 -out C:\Test\codesign.crt
openssl pkcs12 -export -out C:\Test\codesign.pfx -inkey C:\Test\codesign.key -in C:\Test\codesign.crt
The following error occurs:
C:\OpenSSL-Win32\bin>openssl x509 -req -days 1826 -in C:\Test\codesign.csr -CA C:\Test\ca.crt -CAkey C:\Test\ca.key -extfile C:\OpenSSL-Win32\bin\cnf\openssl.cnf -set_serial 01 -out C:\Test\codesign.crt
Error Loading extension section default
14516:error:22097082:X509 V3 routines:do_ext_nconf:unknown extension name:crypto\x509v3\v3_conf.c:78:
14516:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto\x509v3\v3_conf.c:47:name=HOME, value=.
I used OpenSSL v1.1.0c. Every other guide I found creates certificates that are not usable for code signing.
Best Answer
There is no need in OpenSSL on Windows. On Windows 7, you can use my own PowerShell script I published on TechNet Script Gallery: Self-signed certificate generator (PowerShell). The usage can be something like this:
(very first example).
Starting with Windows 8, you can use built-in
certreq.exe
tool to generate the certificate. Create INF file with cert configuration, for example:and then run the following command:
This will generate and install the certificate to current user's certificate store.
Starting with Windows 10, you can use built-in PowerShell cmdlet as follows:
However, self-signed certificate usage for code signing in production environments is discouraged. You should use them in test environments only.
For private usage (within the organization only), you should check if company already owns PKI infrastructure and contact appropriate personnel to receive company-approved code signing certificate.
For public scripts (you are going to distribute along with software packages, or deliver scripts to your customers), I would suggest to purchase code signing from globally trusted commercial CA provider.