Manualshelf

Datasheet

ManualsBrandsWiley ManualsSoftware978-1-1180-2731-8
21222324252627282930
22 CHAPTER 1
USING POWERSHELL WITH ACTIVE DIRECTORY
her private key. Bob doesn’t manually validate Alice’s script against her public key,
however.  is process is handled by PowerShell when Bob attempts to run the script.
To be able to sign scripts, you  rst need to obtain a code-signing certi cate with a
private key.  is certi cate must be trusted by the computer that the script is exe-
cuting on in order for it to be considered valid.  ere are a few di erent ways that
you can obtain a trusted certi cate:
Use an Internal Public Key Infrastructure Some organizations have their own
certi cate authorities (CAs) for creating and validating PKI certi cates. If your
organization has its own CA, you can probably request a code-signing certi cate
from it. When using an internal PKI, you run a good chance that your certi cate
will be trusted by the computers your PowerShell scripts might run on. However,
this isn’t always the case, because the trust con guration is heavily dependent on
how the organization con gured the PKI.
Use a Publically Trusted Certi cate Authority If you don’t have an internal
PKI, then you can buy a trusted certi cate from a well-known Internet CA such
as VeriSign or Go Daddy. Many of these CAs are trusted by default in Windows.
erefore, if you obtain a code-signing certi cate from one of them, you’ll
almost be guaranteed that the certi cate is trusted by any computer on which
you run the PowerShell script.  e downside to this method is that its going to
cost you money.
Use a Self-Signed Certi cate You can also obtain a self-signed certi cate,
which means that you create the certi cate yourself.  e drawback to self-signed
certi cates is that the certi cate is only trusted by the computer on which it
was created.  is means that if you create a script and sign it with a self-signed
certi cate that was issued by one computer, the script will only be considered
valid on that computer. You can get around this, however, by adding the self-
signed certi cate to the list of trusted certi cates on your other computers. If you
decide to use a self-signed certi cate for scripts that you use for Active Directory
administration, you should ensure that the self-signed certi cate is trusted by
each domain controller.  e good news is that you can do this rather easily with
a Group Policy Object (GPO).
To create your own self-signed certi cate signing PowerShell scripts, you can use the
makecert.exe
utility included in the Windows SDK. You can download this SDK
c01.indd 22c01.indd 22 5/12/2011 1:07:48 PM5/12/2011 1:07:48 PM