Private/New-RSACertificateSignature.ps1
function New-RSACertificateSignature { <# .SYNOPSIS Creates a new signature based on content passed as parameter input using the private key of a certificate determined by it's thumbprint, to sign the computed hash of the content. .DESCRIPTION Creates a new signature based on content passed as parameter input using the private key of a certificate determined by it's thumbprint, to sign the computed hash of the content. The certificate used must be available in the LocalMachine\My certificate store, and must also contain a private key. .PARAMETER Content Specify the content string to be signed. .PARAMETER Thumbprint Specify the thumbprint of the certificate. .NOTES Author: Nickolaj Andersen / Thomas Kurth Contact: @NickolajA Created: 2021-06-03 Updated: 2021-06-03 Version history: 1.0.0 - (2021-06-03) Function created Credits to Thomas Kurth for sharing his original C# code. #> param( [parameter(Mandatory = $true, HelpMessage = "Specify the content string to be signed.")] [ValidateNotNullOrEmpty()] [string]$Content, [parameter(Mandatory = $true, HelpMessage = "Specify the thumbprint of the certificate.")] [ValidateNotNullOrEmpty()] [string]$Thumbprint ) Process { # Determine the certificate based on thumbprint input $Certificate = Get-ChildItem -Path "Cert:\LocalMachine\My" -Recurse | Where-Object { $PSItem.Thumbprint -eq $CertificateThumbprint } if ($Certificate -ne $null) { if ($Certificate.HasPrivateKey -eq $true) { # Read the RSA private key $RSAPrivateKey = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($Certificate) if ($RSAPrivateKey -ne $null) { if ($RSAPrivateKey -is [System.Security.Cryptography.RSACng]) { # Construct a new SHA256Managed object to be used when computing the hash $SHA256Managed = New-Object -TypeName "System.Security.Cryptography.SHA256Managed" # Construct new UTF8 unicode encoding object $UnicodeEncoding = [System.Text.UnicodeEncoding]::UTF8 # Convert content to byte array [byte[]]$EncodedContentData = $UnicodeEncoding.GetBytes($Content) # Compute the hash [byte[]]$ComputedHash = $SHA256Managed.ComputeHash($EncodedContentData) # Create signed signature with computed hash [byte[]]$SignatureSigned = $RSAPrivateKey.SignHash($ComputedHash, [System.Security.Cryptography.HashAlgorithmName]::SHA256, [System.Security.Cryptography.RSASignaturePadding]::Pkcs1) # Convert signature to Base64 string $SignatureString = [System.Convert]::ToBase64String($SignatureSigned) # Handle return value return $SignatureString } } } } } } |