How to create the code signing certificate through the New-SelfSignedCertificate cmdlet

Question

PowerShell 4.0

makecert tool has the -eku option for describing the enhanced key usage object identifiers (OIDs) into the certificate. It allows to make the certificates for code signing and for other purposes. But it is not a cmdlet.

New PowerShell versions have the New-SelfSignedCertificate cmdlet for local testing of the scripts. But it creates the certificate that can't be used for code signing:

New-SelfSignedCertificate -DnsName www.SomeSite.com -CertStoreLocation Cert:\CurrentUser\My

I don't see an option which is similar of -eku.

How can I set the destination of my new Self-Signed Certificate (created through New-SelfSignedCertificate cmdlet) for possibility of its use for code signing? Or is it possible to do the same via other cmdlet?

Answer 1

The version of New-SelfSignedCertificate on PS 4 is rather basic.

However Powershell v5 has the parameters that you would require to create specific keys.

Specifically a Keyusage parameter that takes

-- CertSign
-- CRLSign
-- DataEncipherment
-- DecipherOnly
-- DigitalSiganture
-- EncipherOnly
-- KeyAgreement
-- KeyEncipherment
-- None (default) 
-- NonRepudiation

and a KeyUsageProperty taking

-- All
-- Decrypt
-- KeyAgreement
-- None (default) 
-- Sign

Are you specifically tied to v4? If you can upgrade to v5 you should be able to achieve what you need.

Answer 2

Reviving this question as I was also looking for an answer to set Enhanced Key Usage (EKU) field for code signing using PowerShell New-SelfSignedCertificate command.

It can be done using the -TextExtension parameter to set EKU value. As an example, the following PowerShell (tested on PowerShell 5.1) script allows to create a 3-years self signed code signing certificate with extended key usage (and export it from the current user's certificates store to pfx file format):

# Enhanced Key Usage
$EKU = "2.5.29.37"
$EKU_CODE_SIGNING = "1.3.6.1.5.5.7.3.3"

$certificate = New-SelfSignedCertificate -Subject "CN=Testing Code Signing,[email protected],O=My Company" `
                          -FriendlyName "My Code Signing Certificate" `
                          -NotAfter (Get-Date).AddYears(3) `
                          -CertStoreLocation Cert:\CurrentUser\My `
                          -TextExtension @("$EKU={text}$EKU_CODE_SIGNING")

$password = ConvertTo-SecureString -String "mypassword" -Force -AsPlainText

Export-PfxCertificate -Cert "Cert:\CurrentUser\My\$($certificate.Thumbprint)" -FilePath "codesigning.pfx" -Password $password

Note: As a shortcut, the -Type CodeSigningCert parameter can be specified with the New-SelfSignedCertificate command instead of explicitly adding the EKU_CODE_SIGNING string to the -TextExtension parameter.