1

I need to know how I can make sure certificate fields of my self-signed certificate, like subject common name and issuer common name, is encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING, but not UTF-8 encoding.

I'm trying to create it using PowerShell cmdlet.

I'm trying to create a self-signed certificate that conforms to these rules.

These are the parameters I found that I think comply with those rules.

New-SelfSignedCertificate -DnsName 'wdac' -CertStoreLocation Cert:\CurrentUser\My\ -Type Codesigning -HashAlgorithm "SHA512" -KeyLength 4096 -KeyAlgorithm RSA

  • 1
    On my system, by default, that command will use `UTF8STRING` for `commonName` fields (tested by exporting to file, then `openssl.exe asn1parse -in TestCert.cer -i`). You *might* be able to alter what encoding powershell sends, like: https://stackoverflow.com/a/40098904/7411885, but I don't think `PrintableString` is an option there. You may need to generate a custom CSR as a separate step – Cpt.Whale Feb 14 '23 at 16:23
  • Thank you, I just tried it and it is indeed using `UTF8`, that answer is a bit complicated for me and also I'd need some guidance for custom CSR step. Is it possible to create a certificate with those requirements using OpenSSL? –  Feb 14 '23 at 16:42
  • 1
    Why use OpenSSL if a powershell script will do the same. Often in older version Windows (Visual Studio) not all the encryption modes were supported so often people used OpenSSL. Now you do not need to use OpenSSL in these cases. OpenSSL is used in Linux since there are no Linux methods that create Certificates. – jdweng Feb 14 '23 at 17:10
  • @jdweng I understand, and I don't want to use OpenSSL, but as I said in my post, I don't know how to do it with PowerShell. there are .NET APIs for it too but I need help figuring it out. I want to create a self signed certificate that will work for a signed WDAC policy and meets these requirements: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering –  Feb 14 '23 at 17:45
  • @Cpt.Whale I tried the answer from the question you linked to, that didn't work. Also here is a way to find out the encoding of the certificate fields natively `certutil.exe -asn .\cert.cer` –  Feb 14 '23 at 18:18
  • Read following : https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_signing?force_isolation=true&view=powershell-7.3 – jdweng Feb 14 '23 at 19:23
  • @jdweng I did, so which part of it did you think can help my situation? –  Feb 14 '23 at 20:42
  • See following : https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_signing?force_isolation=true&view=powershell-7.3#create-a-self-signed-certificate – jdweng Feb 14 '23 at 22:33
  • 1
    @Jameschad I think you'll need to dip into dotnet for generating these if you want to avoid openssl. The default encoding for X509/X500 stuff is printable strings, and ADCS tends to force it via templates. Stuff like `$DN = [Security.Cryptography.X509Certificates.X500DistinguishedName]::new('CN=TESTCERT')` seem to generate printable strings unless you feed them a "UseUTF8Encoding" flag. I'm not really familiar with the rest of the steps needed for self-signed certs there though. – Cpt.Whale Feb 14 '23 at 23:09

1 Answers1

0

You can easily do this using Windows Server (it's free for 180 days and you only need it for 30 mins or less). You can grab the latest Windows server, install it on a Hyper-V VM, create your code signing certificate, set its expiration date to 50 or 100 years so you won't need to repeat this process again.

The certificate generated using the template in Enterprise CA role in Windows server has the correct encoding for the subject and works perfectly with WDAC.

Here is my text-based guide:

https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Create-and-Deploy-a-Signed-WDAC-Policy-Windows-Defender-Application-Control

Here is the video I made based on that text-based guide:

https://www.youtube.com/watch?v=vlu1HGuYPeg

SpyNet
  • 323
  • 8