Code Signing: Proving Your Enterprise Code Is Yours

[Last Reviewed: 2019-04-25]

PowerShell scripts, ClickOnce VSTO applications, .NET applications, even Java Deployment Rulesets. What do they all have in common?

You can sign them with a code signing certificate!

What’s Code Signing?

When you digitally sign an executable or script, you’re guaranteeing that the code hasn’t been altered or corrupted since it was signed. The same signing certificate can also be used to prove your identity as a trusted publisher, meaning your end users can run your code confidently knowing it’s genuine. (No pressure!)

If you’re looking to sign code that will be distributed to a worldwide audience (or at least one that isn’t a part of your network/enterprise), it’s best to purchase a code signing certificate from a certificate authority.

You can also use self-signed certificates, but this method doesn’t scale very well outside of a small development environment.

If you’re only going to distribute your code internally to your enterprise, you can use something that’s probably already running in your network: Active Directory Certificate Services!

Code signing? With my enterprise PKI? It’s more likely than you think.

Let’s step through the process of getting a Code Signing certificate template available for use, then request a certificate!

Step 0: Preparing your environment

There is one prerequisite step (besides having an enterprise PKI set up!), and that’s creating an AD security group. It may be your corporate policy that only specific individuals can sign code or scripts, so creating this group lets us scope who can do this. If you don’t have such a policy, it’s still a good idea to create a security group for this. For this example, I’m creating a group called Code Signers.

I’m adding myself to this group. Not only will this let me test that everything’s working, it will also let me sign my code!

Step 1: Make the Code Signing certificate template available

Open a Certification Authority snap-in connected to your issuing certificate server. Right-click on Certificate Templates and select Manage. The Certificate Templates Console will appear.


Right-click on the Code Signing certificate template. Click the Security tab and add the Code Signers security group we created in Step 0, grant Enroll permissions, then click OK.

Note: If you want to change any of the values in this certificate, you’ll need to close the properties window, right-click on the certificate template, and select Duplicate Certificate. Here you can customize things like the validity period (which is 1 year by default). (You’ll still want to add your security group to this new template with Enroll permissions!)

Once your template is ready, close the Certificate Templates Console. Back in the Certification Authority snap-in, right-click on Certificate Templates > New > Certificate Template to Issue.

In the Enable Certificate Templates window that appears, select your certificate template and click OK. If you duplicated the certificate, look for the certificate under the name you selected. The intended purpose should say Code Signing regardless.

Note: If your certificate template doesn’t appear in the list right away, you may need to wait a bit. The template must replicate across your domain. Perhaps use this time to learn about AD change notification. 🙂

Here I called my certificate “Enterprise Code Signing” so I could modify the validity period.

Your new Code Signing certificate is now ready! Let’s request one!

Step 2: Request a Code Signing certificate

On my local machine, signed in as myself (or a member of our Code Signing security group), I open mmc.exe and add the Certificates snap-in (File > Add/Remove Snap-in > Certificates > Add > OK).

Note: if asked if you are prompted to pick from a Computer account, Service account, or a User account, selectUser account.

Adding the Current User Certificates snap-in

In the snap-in, right-click on Personal and select All Tasks > Request New Certificate…

The Certificate Enrollment dialog appears. Click Next, then select Active Directory Enrollment Policy and click Next. Locate your code signing certificate in the listing. From here you can either click Enroll to request the certificate, or you can click Details > Properties to modify, say, making the key exportable (so you can use the same key on multiple machines). This can be changed under Private Key > Key options > Make private key exportable.

Making your signing certificate portable. Just be sure to keep it safe–otherwise anyone can pretend to be you writing code!

Huzzah! After completing the certificate enrollment, a new certificate will appear under Personal > Certificates. It will be issued to your name, and it will show Code Signing under Intended Purposes.

With your new code signing certificate, you could do something awesome like sign that great PowerShell script you just finished writing!

Jacob

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.