Deploying Code Signing Certificates via Microsoft Intune
Extract Code Signing Certificate
If you don't have a copy of the code-signing certificate, you can extract it from a file previously signed by the certificate using the following steps:
Option1:
Right-click on the signed file and choose Properties.
Choose the Digital Signatures tab. If this tab does not appear, then the file is not signed.
Choose the appropriate signature from the Signatures list and then select Details. Most files will only have a single signature.
In the Digital Signature Details dialog, choose View Certificate.
In the Certificate dialog, choose the Details tab and select Copy to File.
Complete the Certificate Export Wizard to create a CER file containing the certificate. Choose Base-64 encoded x.509 (.CER) for the Export File Format.
Select OK on the three open dialogs.
Option2:
Go to Start > certlm.msc > Run As Administrator
Go to Certificate - Local Computer > Trusted Publishers > Certificates
Right click on the specific code signing certificate > All tasks > Export
Select Base-64 encoded x.509 (.CER) > Next
Select the File Path > Next
Complete the wizard
Export Thumbprint of the certificate
Run below PowerShell command:
([System.Security.Cryptography.X509Certificates.X509Certificate2]::new("<Certificate Path>")).thumbprint
Example:
Copy the Thumbprint to text file
Extract base64 encoded version of the certificate
The base-64 encoded version of a certificate is a string-based representation of the certificate. This version contains the complete certificate but in a more portable format that is not bound to a file.
Go to PowerShell > Run As Administrator
Rune below PowerShell command:
[System.Convert]::ToBase64String(([System.Security.Cryptography.X509Certificates.X509Certificate2]::new("<Certificate Path>")).Export('Cert')) | Set-Clipboard
Example:
Note: Set-Clipboard parameter will automatically copy the output. So you can paste the result into text file straightaway.
Deploy the certificate via Intune
Create a Configuration profile with below configurations:
- Platform: Windows 10 and later
- Profile type: Templates > Custom
- Configuration Settings (OMA-URI)
- Name: <Name>
- OMA-URI: ./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/<thumbprint>/EncodedCertificate
- Data type: String
- Value: The base-64 encoded version of the certificate without any line breaks. (You can use extracted base64 encoded version of the certificate.)
Deploy to either Device or User group accordingly.
Result:
Note:
Important: Code signing certificate is associate with either intermediate and root certificate. Therefore, make sure you have to deploy the required root and intermediate certificate too in order to working fine. please fine below Microsoft link to deploy root certificate.
References: