0

I apologize if this has been answered elsewhere, but I couldn't find anything that quite fit what I'm trying to do here.

I have a CA set up already on a Linux server, and I use it for creating OpenVPN certs. I want to utilize this existing infrastructure if I can.

What I intend to do, is create the signing certificate on my Linux server using easy-rsa, import that into a Server 2012 R2 environment, and sign it from there. After that, I'd import the necessary certs on the servers I'm deploying my scripts to.

Is this possible? Are there limits to the key size? What algorithms can I use? Is EC supported? If so, which curves?

All the literature I've come across talks about creating the CA on a Windows Server, so I'm at a bit of a loss here.

Improve this question

1 Answer 1

Reset to default
1

It took 3 years and I asked the same question, and the answer is - Yes!

Requirements: easy-rsa, openssl

Step 1: Generate RSA private key.
openssl genrsa -out MySPC.key

Step 2: Make certificate request.
openssl req -new -key MySPC.key -out MySPC.req

Step 3: Import certificate request to easyrsa.
easyrsa import-req MySPC.req MySPC

Step 4: Sign certificate request, and make SPC certificate.
easyrsa sign-req code-signing MySPC

Step 5: Make PFX.
openssl pkcs12 -export -out MySPC.pfx -inkey MySPC.key -in MySPC.crt -certfile MyCA.crt

Last step: Import PFX file to Windows Keystore.
Import PFX file to Trusted Publishers Certificate Store.

Now you can use this certificate to sign your powershell scripts and other executables!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.