I apologize if this has been answered elsewhere, but I couldn't find anything that quite fit what I'm trying to do here.
I have a CA set up already on a Linux server, and I use it for creating OpenVPN certs. I want to utilize this existing infrastructure if I can.
What I intend to do, is create the signing certificate on my Linux server using easy-rsa, import that into a Server 2012 R2 environment, and sign it from there. After that, I'd import the necessary certs on the servers I'm deploying my scripts to.
Is this possible? Are there limits to the key size? What algorithms can I use? Is EC supported? If so, which curves?
All the literature I've come across talks about creating the CA on a Windows Server, so I'm at a bit of a loss here.
It took 3 years and I asked the same question, and the answer is - Yes!
Requirements: easy-rsa, openssl
Step 1: Generate RSA private key.
openssl genrsa -out MySPC.key
Step 2: Make certificate request.
openssl req -new -key MySPC.key -out MySPC.req
Step 3: Import certificate request to easyrsa.
easyrsa import-req MySPC.req MySPC
Step 4: Sign certificate request, and make SPC certificate.
easyrsa sign-req code-signing MySPC
Step 5: Make PFX.
openssl pkcs12 -export -out MySPC.pfx -inkey MySPC.key -in MySPC.crt -certfile MyCA.crt
Last step: Import PFX file to Windows Keystore.
Import PFX file to Trusted Publishers Certificate Store.
Now you can use this certificate to sign your powershell scripts and other executables!