34,333
edits
Changes
→Protecting Certificates with Private Key Encryption
</pre>
The Certificate Manager will open a window displaying a number of different categories of certificates. Navigate to the certificate to be protected (in the case of the example in this chapter select ''Personal -> Certificates -> PowerShell Cert''as illustrated below: [[Image:certification_manager.jpg|The Windows Certificate Manager Tool]] Right click on the selected certificate and select "All Tasks -> Export..." from the context menu to invoke the Certificate Export Wizard. Click ''Next'' on the Welcome screen to proceed to the ''Export Private Key'' page and select the ''Yes, export private key'' option. Click ''Next'' to proceed to the Export File Format screen and select the ''Personal Exchange Format'' option. Since the objective of this exercise is to prevent the use of the certificate by unauthorized users, it is important that the unprotected certificate be removed from the certificate store once the export is successfully completed so that it can no longer be used. This can be achieved by selecting the option to delete the certificate after a successful export. On the next screen, enter the password to be used to protect the key and click ''Next''. Finally, specify a filename and location for the .pfx file (for the purposes of this example we will use the name ''cert.pfx''. Click ''Next'' to display the summary screen. Review the summary information and click ''Finish'' to export the key. The resulting pfx file subsequently be used access the certificate using the ''Get-PfxCertificate'' cmdlet as illustrated below. Before PowerShell will permit the script to be signed, however, the password entered during the export process must be entered: <pre>PS C:\Users\Administrator> $certificate = get-pfxcertificate cert.pfxEnter password:</pre> Once extracted, the certificate may be used to sign scripts using the usual command: <pre>PS C:\Users\Administrator> set-authenticodesignature ./t.ps1 $certificate Directory: C:\Users\Administrator SignerCertificate Status Path----------------- ------ ----3152D8D9584375916BB9A7511BF2E789F257AD0B Valid t.ps1</pre>