I have no answer, but this is a project I'll be taking up in the new year, so I'll be very interested in following this conversation.
Kurt On Tue, Dec 6, 2016 at 2:02 PM, Miller Bonnie L. <[email protected]> wrote: > I feel like I must be missing a step here, so am hoping someone has seen > this. I’m most of the way through standing up a new internal CA > root/subordinate combo for our internal AD and migrating certificates, but > have run into a problem with code signing certs. > > > > The new servers are 2012 R2, done mostly to best practice with root not in > the domain (offline) and subordinate in the domain for issuing certs. The > old single server is 2008 R2. I already have most of our certs migrated and > working, including those for Kerberos (Domain controllers) authentication, > client pcs, web server, etc. The Root CA is showing up in the client’s > Trusted root store, and both the root and subordinate are in the > Intermediate Certificates store. > > > > I’ve published a new template for (powershell) code signing today from the > new intermediate server, and was able to follow all of the same steps to get > a cert enrolled for my user account that I had done with 2008 R2. I see the > new cert in the Personal store and have imported it into Trusted publishers. > > > > But, if I sign some code with the new cert, I still get prompted by > powershell with “Do you want to run software from this untrusted > publisher?”. I’ve tried deleting the old cert from Personal and from > Trusted publishers, and even re-signed the code to verify it’s using the new > one that I think it is. > > > > Is there another place I need to be adding the cert that I’m missing here? > Is there an issue with signing it from the Intermediary vs the root CA when > it comes to code signing? > > > > I’m not a PS guru and there are really only two of us using this, in an > attempt to not allow unrestricted PS on our domain workstations. Code > signing certs have worked fine from our 2008 R2, but there is only the one > server involved. > > > > Any pointers would be appreciated. > > > > -Bonnie
