Is there a behavior difference whether it's in the local user or local machine Trusted Publishers store? I haven't done much with this but that comes to mind as something to check.
Also don't forget to timestamp the signature when you do the signing. Thanks, Brian Desmond w - 312.625.1438 | c - 312.731.3132 From: [email protected] [mailto:[email protected]] On Behalf Of Miller Bonnie L. Sent: Tuesday, December 6, 2016 4:03 PM To: ntsysadm <[email protected]> Subject: [NTSysADM] code-signing cert for PS untrusted I feel like I must be missing a step here, so am hoping someone has seen this. I'm most of the way through standing up a new internal CA root/subordinate combo for our internal AD and migrating certificates, but have run into a problem with code signing certs. The new servers are 2012 R2, done mostly to best practice with root not in the domain (offline) and subordinate in the domain for issuing certs. The old single server is 2008 R2. I already have most of our certs migrated and working, including those for Kerberos (Domain controllers) authentication, client pcs, web server, etc. The Root CA is showing up in the client's Trusted root store, and both the root and subordinate are in the Intermediate Certificates store. I've published a new template for (powershell) code signing today from the new intermediate server, and was able to follow all of the same steps to get a cert enrolled for my user account that I had done with 2008 R2. I see the new cert in the Personal store and have imported it into Trusted publishers. But, if I sign some code with the new cert, I still get prompted by powershell with "Do you want to run software from this untrusted publisher?". I've tried deleting the old cert from Personal and from Trusted publishers, and even re-signed the code to verify it's using the new one that I think it is. Is there another place I need to be adding the cert that I'm missing here? Is there an issue with signing it from the Intermediary vs the root CA when it comes to code signing? I'm not a PS guru and there are really only two of us using this, in an attempt to not allow unrestricted PS on our domain workstations. Code signing certs have worked fine from our 2008 R2, but there is only the one server involved. Any pointers would be appreciated. -Bonnie
