JohnL4 · February 18, 2021 15:00
diff --git a/Make-SelfSignedCertificate.ps1 b/Make-SelfSignedCertificate.ps1
 # From https://medium.com/the-new-control-plane/generating-self-signed-certificates-on-windows-7812a600c2d8

 # -----------------------------------------------------  Creation  -----------------------------------------------------

 $cert = New-SelfSignedCertificate `
  -FriendlyName "John Lusk Self-signed" `
  -KeyFriendlyName "John Lusk Self-signed Private Key" `
  -NotAfter (get-date).AddYears(10) `
  -Subject "John Lusk" `
  -type CodeSigningCert `
  -CertStoreLocation cert:\LocalMachine\My

 # ------------------------------------------------------  Export  ------------------------------------------------------

 $certPath = 'cert:\LocalMachine\My\' + $cert.Thumbprint

 $passwd = Read-Host -AsSecureString # Don't forget this password. 

 # If you don't trust yourself not to fat-finger the password, you can take this approach:
 $passwd = ConvertTo-SecureString -String 'hunter2' -Force -AsPlainText

 Export-PfxCertificate -cert $certpath -FilePath self-signed-certificate-lusk.pfx -Password $passwd

 <# 
 Then, you can import the pfx on another computer (by double-clicking) and it'll wind up in the Local Machine cert store.
 Running certmgr won't show you that, you'll have to run mmc and snap in the cert mgr, selecting "Computer Account" as
 the store to be managed.

 If you want to be rude (I was), you can actually ALSO import the cert into the Trusted Certs folder in certmgr on whichever
 machine you want to trust your signature.  It's a hack, but, hey.

 mmc has a nice "Find Certificates" (available via right-click) that lets you track down certs easily.

 See also PowerShell 'help about_Signing' sections on signing scripts and setting strong private key protection.
 #>

 # -----------------------------------------------------  Signing  ------------------------------------------------------

 $cert = (gci cert:\LocalMachine\My -codesigning)[0] # Assumes you've only got one of these.

 Set-AuthenticodeSignature .\Test-SisenseWithJAQL.ps1 $cert

 # This actually stamps a base64-encoded signature block onto the bottom of your script, which means it can be copied
 # around easily, so long as the machine where it winds up has the same certificate in its cert store.

 # If you get a status of UnknownError or NotSigned out of the above, you can try loading the exported certificate instead.
 # That seemed to work better for me.  (You'll be prompted for the private key password.)

 $cert = Get-PfxCertificate .\self-signed-certificate-lusk.pfx
	# From https://medium.com/the-new-control-plane/generating-self-signed-certificates-on-windows-7812a600c2d8

	# ----------------------------------------------------- Creation -----------------------------------------------------

	$cert = New-SelfSignedCertificate `
	-FriendlyName "John Lusk Self-signed" `
	-KeyFriendlyName "John Lusk Self-signed Private Key" `
	-NotAfter (get-date).AddYears(10) `
	-Subject "John Lusk" `
	-type CodeSigningCert `
	-CertStoreLocation cert:\LocalMachine\My

	# ------------------------------------------------------ Export ------------------------------------------------------

	$certPath = 'cert:\LocalMachine\My\' + $cert.Thumbprint

	$passwd = Read-Host -AsSecureString # Don't forget this password.

	# If you don't trust yourself not to fat-finger the password, you can take this approach:
	$passwd = ConvertTo-SecureString -String 'hunter2' -Force -AsPlainText

	Export-PfxCertificate -cert $certpath -FilePath self-signed-certificate-lusk.pfx -Password $passwd

	<#
	Then, you can import the pfx on another computer (by double-clicking) and it'll wind up in the Local Machine cert store.
	Running certmgr won't show you that, you'll have to run mmc and snap in the cert mgr, selecting "Computer Account" as
	the store to be managed.

	If you want to be rude (I was), you can actually ALSO import the cert into the Trusted Certs folder in certmgr on whichever
	machine you want to trust your signature. It's a hack, but, hey.

	mmc has a nice "Find Certificates" (available via right-click) that lets you track down certs easily.

	See also PowerShell 'help about_Signing' sections on signing scripts and setting strong private key protection.
	#>

	# ----------------------------------------------------- Signing ------------------------------------------------------

	$cert = (gci cert:\LocalMachine\My -codesigning)[0] # Assumes you've only got one of these.

	Set-AuthenticodeSignature .\Test-SisenseWithJAQL.ps1 $cert

	# This actually stamps a base64-encoded signature block onto the bottom of your script, which means it can be copied
	# around easily, so long as the machine where it winds up has the same certificate in its cert store.

	# If you get a status of UnknownError or NotSigned out of the above, you can try loading the exported certificate instead.
	# That seemed to work better for me. (You'll be prompted for the private key password.)

	$cert = Get-PfxCertificate .\self-signed-certificate-lusk.pfx