4

I have to sign remote scripts with a certificate from the remote machine from which I have a .pfx file.

I would like to automate the scripting by supplying the password to the Get-PfxCertificate programmatically.

So the question is:

Is it possible to somehow supply programmatically the required password to

Get-PfxCertificate?

Improve this question

3 Answers 3

Reset to default
9 
$CertPath = "my.pfx"
$CertPass = "mypw"
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPass)
Set-AuthenticodeSignature -Certificate $Cert -TimeStampServer http://timestamp.verisign.com/scripts/timstamp.dll -FilePath $OutputFilename

Make sure you have the proper permissions otherwise you won't be able to create an instance of the X509Certificate2 object.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Great answer. You can use Get-PfxData for this, as well. You need to supply the password as a SecureString and the EndEntityCertificates to use the certificate without being prompted. Using your example: ` $SecurePassword=ConvertTo-SecureString -String "mypw" -AsPlainText -Force; $PfxData=Get-PfxData -FilePath "my.pfx" -Password $SecurePassword; Set-AuthenticodeSignature -Certificate $PfxData.EndEntityCertificates[0] -TimeStampServer timestamp.verisign.com/scripts/timstamp.dll -FilePath $OutputFilename; `
2

Another way of doing this is by loading your certificate directly from your certificate store using PS Providers. Use Get-PSProviders to determine available PSProviders on your machine. Once you have cert provider loaded, you can now get the certificate using Get-ChildItem

Launch certmgr.msc from run to launch the certificate store
Assuming that your certificate is stored under Personal folder in your cert store
and has "Company Name" set in the subject property of the certificate, and there is only certificate in that folder with Company Name in the subject - you can get the certificate like so

$my_cert = Get-ChildItem cert:\CurrentUser\My | ? {$_.Subject -match "Company Name"}

$my_cert will be your certificate object that you can pass directly to Set-AuthenticodeSignature cmdlet

Set-AuthenticodeSignature -Certificate $my_cert -FilePath fqn_to_dll.dll -Timestampserver "http://timestampurl"

post signing, you can retrieve the sign status by querying on the Status property for "Valid" or not like

$result = Set-AuthenticodeSignature -Certificate $my_cert -FilePath fqn_to_dll.dll -Timestampserver "http://timestampurl" | Select Status
if(-Not ($result -eq "Valid")){
    Write-Output "Error Signing file: Status: $($result.Status)"    
}
Improve this answer

1 Comment

Nice option, but how does this avoid the password prompt?
1

I did a bit of checking around on this and couldn't find a clean way to provide the password programmatically. I suspect it is meant to be this way for security reasons. Either that or the PowerShell development team just blew it by not including a Credential parameter for this cmdlet. The only other option I can think of is to use someting like SendKeys to send the individual password character key presses to the PowerShell console at the right time via a background job (blech - just threw up in my mouth a little). :-)

Improve this answer

1 Comment

Starting with PowerShell 6, Get-PfxCertificate will allow you to pass it a -Password parameter (which needs to be passed as a SecureString object): learn.microsoft.com/en-us/powershell/module/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.