The following set-up is given:
- We are a fairly small branch of a big enterprise sitting on the bottom of a complex WinServer 2012 R2 AD. Therefore we are somehow restricted in our policies.
- Our development department has three PowerShell developers who want to use their scripts securely.
- We implemented an AD CS to sign our scripts by our own root certificate authority.
The technical steps to implement our certificates are the following:
- Create a private key with a public certificate using openssl.
- Sign the certificate by our certificate authority.
- Import the signed certificate into an AD users account along with the public certificate of the CA into the trusted CAs.
- The certificate user "ScriptUser" is not an AD user, therefore we import his certificate into the trusted users area.
Signing and testing:
- On the client system (Windows 7 or Windows 10) we tested to sign a PowerShell script which went ok.
- When running the script locally we get an error message that the certificate owner is not trustworthy. After committing the script runs.
We expected the script to run without any dialogue.
What's our fault?
