Core/Build-WDACCertificate.psm1
Function Build-WDACCertificate { [CmdletBinding()] param ( [ValidatePattern('^[a-zA-Z0-9 ]+$', ErrorMessage = 'Only use alphanumeric and space characters.')] [Parameter(Mandatory = $false)] [System.String]$CommonName = 'Code Signing Certificate', [ValidatePattern('^(?!.*[\\|/:*?"<>]).*$', ErrorMessage = 'A file name cannot contain any of the following characters \|/:*?"<>')] [ValidateCount(1, 250)] [Parameter(Mandatory = $false)] [System.String]$FileName = 'Code Signing Certificate', [Parameter(Mandatory = $false)] [ValidateSet('Method1', 'Method2')] [System.String]$BuildingMethod = 'Method2', [Parameter(Mandatory = $false)] [ValidateScript({ ([System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($_))).Length -ge 5 }, ErrorMessage = 'The password must be at least 5 characters long.')] [System.Security.SecureString]$Password, [Parameter(Mandatory = $false)][switch]$Force ) Begin { [WDACConfig.LoggerInitializer]::Initialize($VerbosePreference, $DebugPreference, $Host) Update-WDACConfigPSModule -InvocationStatement $MyInvocation.Statement # Define a staging area for Build-WDACCertificate cmdlet [System.IO.DirectoryInfo]$StagingArea = Join-Path -Path ([WDACConfig.GlobalVars]::UserConfigDir) -ChildPath 'StagingArea' -AdditionalChildPath 'Build-WDACCertificate' # Delete it if it exists already with possible content with previous runs if ([System.IO.Directory]::Exists($StagingArea)) { Remove-Item -LiteralPath $StagingArea -Recurse -Force } # Create the staging area for the Build-WDACCertificate cmdlet $null = New-Item -Path $StagingArea -ItemType Directory -Force # If user entered a common name that is not 'Code Signing Certificate' (which is the default value) if ($CommonName -ne 'Code Signing Certificate') { # If user did not select a $FileName and it's set to the default value of 'Code Signing Certificate' if ($FileName -eq 'Code Signing Certificate') { # Set the $FileName to the same value as the $CommonName that the user entered for better user experience [System.String]$FileName = $CommonName } } if (!$Password) { [WDACConfig.Logger]::Write('Prompting the user to enter a password for the certificate because it was not passed as a parameter.') do { [System.Security.SecureString]$Password1 = $(Write-ColorfulTextWDACConfig -Color Lavender -InputText 'Enter a password for the certificate (at least 5 characters)'; Read-Host -AsSecureString) [System.Security.SecureString]$Password2 = $(Write-ColorfulTextWDACConfig -Color Lavender -InputText 'Confirm your password for the certificate'; Read-Host -AsSecureString) # Compare the Passwords and make sure they match [System.Boolean]$TheyMatch = [WDACConfig.SecureStringComparer]::Compare($Password1, $Password2) # If the Passwords match and they are at least 5 characters long, assign the Password to the $Password variable if ( $TheyMatch -and ($Password1.Length -ge 5) -and ($Password2.Length -ge 5) ) { [System.Security.SecureString]$Password = $Password1 } else { Write-Host -Object 'Please ensure that the Passwords you entered match, and that they are at least 5 characters long.' -ForegroundColor red } } # Repeat this process until the entered Passwords match and they are at least 5 characters long until ( $TheyMatch -and ($Password1.Length -ge 5) -and ($Password2.Length -ge 5) ) } [WDACConfig.Logger]::Write('Checking if a certificate with the same common name already exists.') [System.Security.Cryptography.X509Certificates.X509Certificate2[]]$DuplicateCerts = foreach ($Item in (Get-ChildItem -Path 'Cert:\CurrentUser\My' -CodeSigningCert)) { if ($Item.Subject -ieq "CN=$CommonName") { $Item } } if ($DuplicateCerts.Count -gt 0 ) { if ($Force -or $PSCmdlet.ShouldContinue('Remove all of them and continue with creating a new certificate?', "$($DuplicateCerts.Count) certificate(s) with the common name '$CommonName' already exist on the system.")) { foreach ($Cert in $DuplicateCerts) { $Cert | Remove-Item -Force } } else { Throw [System.Data.DuplicateNameException] 'A certificate with the same common name already exists on the system. Please remove it or choose another common name and try again.' } } } process { Try { if ($BuildingMethod -ieq 'Method1') { [WDACConfig.Logger]::Write('Building the certificate using Method1.') [System.String]$Inf = @" [Version] Signature="$Windows NT$" [NewRequest] X500NameFlags = "CERT_NAME_STR_DISABLE_UTF8_DIR_STR_FLAG" Subject = "CN=$CommonName" KeyLength = 4096 KeySpec = 2 KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE" MachineKeySet = False ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" RequestType = Cert SMIME = False Exportable = True ExportableEncrypted = True KeyAlgorithm = RSA FriendlyName = "$CommonName" HashAlgorithm = sha512 ValidityPeriodUnits = 100 ValidityPeriod = Years [Extensions] 1.3.6.1.4.1.311.21.10 = "{text}oid=1.3.6.1.5.5.7.3.3" 2.5.29.37 = "{text}1.3.6.1.5.5.7.3.3" 2.5.29.19 = {text}ca=0pathlength=0 "@ # Save the INF content to a random temporary file $Inf | Out-File -FilePath (Join-Path -Path $StagingArea -ChildPath 'CertificateCreator.inf') -Force # Generate a certificate request using CertReq [System.String[]]$CertReqOutput = certreq.exe -new (Join-Path -Path $StagingArea -ChildPath 'CertificateCreator.inf') (Join-Path -Path $StagingArea -ChildPath 'CertificateCreator.req') #Region parse-certificate-request-output # Split the output by newlines and trim the whitespace [System.String[]]$Lines = foreach ($Line in $CertReqOutput -split "`n") { $Line.Trim() } # Create a hashtable to store the parsed properties [System.Collections.Hashtable]$Properties = @{} # Loop through the lines and extract the key-value pairs foreach ($Line in $Lines) { # Skip the first line if ($Line -ieq 'Installed Certificate:') { continue } # Check if the line has a colon if ($Line -match ':') { # Split the line by colon with a limit of 2 and trim the whitespace [System.String[]]$Parts = foreach ($Item in ($Line -split ':', 2)) { $Item.Trim() } # Assign the first part as the key and the second part as the value [System.String]$Key = $Parts[0] [System.String]$Value = $Parts[1] # Add the key-value pair to the hashtable $Properties[$Key] = $Value } } #Endregion parse-certificate-request-output # Save the thumbprint of the certificate to a variable [System.String]$NewCertificateThumbprint = $Properties['Thumbprint'] } elseif ($BuildingMethod -eq 'Method2') { [WDACConfig.Logger]::Write('Building the certificate using Method2.') # Create a hashtable of parameter names and values [System.Collections.Hashtable]$Params = @{ Subject = "CN=$CommonName" FriendlyName = $CommonName CertStoreLocation = 'Cert:\CurrentUser\My' KeyExportPolicy = 'ExportableEncrypted' KeyLength = '4096' KeyAlgorithm = 'RSA' HashAlgorithm = 'sha512' KeySpec = 'Signature' KeyUsage = 'DigitalSignature' KeyUsageProperty = 'Sign' Type = 'CodeSigningCert' NotAfter = [System.DateTime](Get-Date).AddYears(100) TextExtension = @('2.5.29.19={text}CA:FALSE', '2.5.29.37={text}1.3.6.1.5.5.7.3.3', '1.3.6.1.4.1.311.21.10={text}oid=1.3.6.1.5.5.7.3.3') } # Pass the splatting variable to the command [System.Security.Cryptography.X509Certificates.X509Certificate2]$NewCertificate = New-SelfSignedCertificate @params # Save the thumbprint of the certificate to a variable [System.String]$NewCertificateThumbprint = $NewCertificate.Thumbprint } [WDACConfig.Logger]::Write('Finding the certificate that was just created by its thumbprint') [System.Security.Cryptography.X509Certificates.X509Certificate2]$TheCert = foreach ($Cert in (Get-ChildItem -Path 'Cert:\CurrentUser\My' -CodeSigningCert)) { if ($Cert.Thumbprint -eq $NewCertificateThumbprint) { $Cert } } [System.IO.FileInfo]$CertificateOutputPath = Join-Path -Path ([WDACConfig.GlobalVars]::UserConfigDir) -ChildPath "$FileName.cer" [WDACConfig.Logger]::Write("Exporting the certificate (public key only) to $FileName.cer") $null = Export-Certificate -Cert $TheCert -FilePath $CertificateOutputPath -Type 'CERT' -Force [WDACConfig.Logger]::Write("Exporting the certificate (public and private keys) to $FileName.pfx") $null = Export-PfxCertificate -Cert $TheCert -CryptoAlgorithmOption 'AES256_SHA256' -Password $Password -ChainOption 'BuildChain' -FilePath (Join-Path -Path ([WDACConfig.GlobalVars]::UserConfigDir) -ChildPath "$FileName.pfx") -Force [WDACConfig.Logger]::Write('Removing the certificate from the certificate store') $TheCert | Remove-Item -Force try { [WDACConfig.Logger]::Write('Importing the certificate to the certificate store again, this time with the private key protected by VSM (Virtual Secure Mode - Virtualization Based Security)') $null = Import-PfxCertificate -ProtectPrivateKey 'VSM' -FilePath (Join-Path -Path ([WDACConfig.GlobalVars]::UserConfigDir) -ChildPath "$FileName.pfx") -CertStoreLocation 'Cert:\CurrentUser\My' -Password $Password } catch { [WDACConfig.Logger]::Write('Importing the certificate to the certificate store again (VSM could not be be used due to lack of hardware virtualization support)') $null = Import-PfxCertificate -FilePath (Join-Path -Path ([WDACConfig.GlobalVars]::UserConfigDir) -ChildPath "$FileName.pfx") -CertStoreLocation 'Cert:\CurrentUser\My' -Password $Password } [WDACConfig.Logger]::Write('Saving the common name of the certificate to the User configurations') $null = [WDACConfig.UserConfiguration]::Set($null, $null, $null, $CommonName, $null, $null, $null, $null, $null, $null) [WDACConfig.Logger]::Write('Saving the path of the .cer file of the certificate to the User configurations') $null = [WDACConfig.UserConfiguration]::Set($null, $null, $null, $null, $CertificateOutputPath, $null, $null, $null, $null, $null) } catch { throw $_ } Finally { Remove-Item -LiteralPath $StagingArea -Recurse -Force } } end { Write-ColorfulTextWDACConfig -Color MintGreen -InputText "The certificate with the common name '$CommonName' has been successfully created." } <# .SYNOPSIS Builds a self-signed certificate for use with WDAC. All of the outputs are saved in: C:\Program Files\WDACConfig .LINK https://github.com/HotCakeX/Harden-Windows-Security/wiki/Build-WDACCertificate .PARAMETER CommonName The common name of the certificate. Defaults to 'Code Signing Certificate'. If a certificate with the same common name already exists on the system, the user will be asked whether to automatically remove all of them and continue with creating a new certificate. This can be automated by passing the -Force switch. If you enter a CommonName but do not enter a FileName, the FileName will be set to the same value as the CommonName for better user experience. .PARAMETER FileName The name of the certificate file. Defaults to 'Code Signing Certificate'. Selected name should not contain any of the following characters \|/:*?"<> .PARAMETER BuildingMethod The method used to build the certificate. Method1 uses CertReq.exe to build the certificate. Method2 uses New-SelfSignedCertificate to build the certificate. .PARAMETER Password The password to protect the private key of the certificate, at least 5 characters long. If not passed as a parameter, the user will be prompted to enter a password. .PARAMETER Force Forces the removal of any existing certificates with the same common name from the system. .DESCRIPTION Builds a self-signed certificate for use with WDAC that meets all of the requirements for a WDAC policy signing certificate. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol .NOTES For Method1 INF creation notes: 2.5.29.19 = {text}ca=0pathlength=0 -> adds basic constraints to the certificate request. X500NameFlags = "CERT_NAME_STR_DISABLE_UTF8_DIR_STR_FLAG" -> For setting the encoding to printable string and disabling UTF-8 encoding, required for WDAC policy signing certificate - > https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol For Method2 New-SelfSignedCertificate notes: '2.5.29.19={text}CA:FALSE' -> adds basic constraints to the certificate request to make it a non-CA and end entity certificate. '2.5.29.37={text}1.3.6.1.5.5.7.3.3' adds the extended key usage for code signing. '1.3.6.1.4.1.311.21.10={text}oid=1.3.6.1.5.5.7.3.3' -> adds "[1]Application Certificate Policy:Policy Identifier=Code Signing" as the value for Application Policies extension. The certificate made in CA role in Windows Server (using Code Signing template) also adds this extension. Get the value of the Application Policies extension ($NewCertificate.Extensions | Where-Object -FilterScript { $_.oid.FriendlyName -eq 'Application Policies' }).Format($false) Use certutil -dump -v '.\codesign.cer' to view the certificate properties, such as encoding of the certificate fields like the subject The reason for denying to create certificates with common names that already exist in the same store and location on the system is that SignTool.exe can't determine which certificate to use when there are multiple certificates with the same common name in the same certificate store so it would either need to randomly choose the best one (using the /a option) or ask the user to provide the SHA1 hash of the certificate to use (using the /sha1 option), which is not secure at all. It also can create confusion for users when they have multiple certificates with the same common name in the same certificate store. .INPUTS System.String System.Security.SecureString System.Management.Automation.SwitchParameter .OUTPUTS System.String .EXAMPLE $Password = ConvertTo-SecureString -String 'hotcakex' -AsPlainText Build-WDACCertificate -Password $Password -Verbose -Force This example builds a self-signed certificate for use with WDAC with the common name 'Code Signing Certificate' and the password 'hotcakex' and files named 'Code Signing Certificate.cer' and 'Code Signing Certificate.pfx'. .EXAMPLE Build-WDACCertificate -Password (ConvertTo-SecureString -String 'hotcakes' -AsPlainText) This example builds a self-signed certificate by providing the password in a different way .EXAMPLE $Password = ConvertTo-SecureString -String 'hotcakex' -AsPlainText Build-WDACCertificate -Password $Password -Verbose -Force -CommonName 'My WDAC Certificate' -FileName 'My Cert' This example builds a self-signed certificate for use with WDAC with the common name 'My WDAC Certificate' and the password 'hotcakex' and files named 'My Cert.cer' and 'My Cert.pfx'. .EXAMPLE Build-WDACCertificate This example builds a self-signed certificate for use with WDAC with the common name 'Code Signing Certificate' and files named 'Code Signing Certificate.cer' and 'Code Signing Certificate.pfx'. You will be prompted to enter a password. #> } |