System scripts
DigiCert provides a few post-processing scripts, which DigiCert manages and are referred to as System scripts. The system post-processing scripts are signed so you can verify them for authenticity and integrity to safeguard against unauthorized or malicious changes.
In DigiCert® Trust Lifecycle Manager, you can view all the system scripts from Discovery & automation tools > Scripts > System scripts page, where these scripts are available to view, download, or for reference. All the system scripts that DigiCert manages are non-editable.
Warning
If using a third-party platform for device management, ensure the PowerShell execution policy on client computers is set to RemoteSigned to ensure proper operation of the Windows system post-scripts. Check the Microsoft PowerShell documentation for more details about execution policies.
DigiCert-managed system post-scripts
Script name | OS* | Script description | Supported certificate templates |
|---|---|---|---|
Microsoft Outlook Configuration To use this script, the 64-bit version of Microsoft Outlook 2016 or later must be installed. ImportantNew Outlook for Windows is not supported for post-processing scripts. | Windows | Configure Outlook's security profile to use the certificate for signing and encrypting. |
|
Windows | Publish the certificate to an Active Directory. |
| |
macOS | Publish the certificate to an Active Directory. Requires DigiCert Trust Assistant V1.2.6 or later to run this script. |
| |
Windows | This script configures Adobe Acrobat Reader to use the Adobe individual certificate for document signing. | Adobe Individual in Organization (via CertCentral) | |
*For specific version of the OS, refer to Prerequisites. | |||
Verify system script signature
Once a signed system script is downloaded from DigiCert® Trust Lifecycle Manager, it is possible to verify the script signature manually.
Note
The signature verification step is optional and can be skipped.
Verifying Windows PowerShell scripts
Use the following Powershell command to verify a signed PowerShell script:
PS> Get-AuthenticodeSignature -FilePath <path-to-script-file>
For example, a valid signature on Outlook.ps1 looks like:
PS> Get-AuthenticodeSignature -FilePath .\Outlook.ps1 SignerCertificate Status Path ----------------------------------------------------------------------------- D05A55D54AAA0653D148B231141AC268C416E1D4 Valid Outlook.ps1
Verifying macOS shell scripts
Use the following command on a macOS terminal to verify a signed shell script:
security cms -D -i <path-to-script-file>
For example, an invalid script looks like:
$ security cms -D -i invalid.sh security: failed to add data to decoder: UNKNOWN (-8183(d) security: problem decoding
Whereas, a valid signed script looks like:
$ security cms -D -i ADPublisher.sh IyEvYmluL2Jhc2gKCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjCiMgQURQdWJsaXNoZXJfTWFjLnNoCiMgCiMgVGhpcyBzY3JpcHQgcHVibGlzaGVzIGEgY2VydGlmaWNhdGUgdG8gQWN0aXZlIERpcmVjdG9yeSB1c2luZyBMREFQLgojIEl0...<snip>...
* pipe the output to decode base64 encoding to obtain the script.
security cms -D -i <path-to-script-file> | base64 -d, for example:
$ security cms -D -i ADPublisher.sh | base64 -d #!/bin/bash ############################################################################# # ADPublisher_Mac.sh # # This script publishes a certificate to Active Directory using LDAP. ...<snip>...
Code signing certificate and CA chain
Use the following links to download the PEM-encoded code signing, intermediate CA, and root CA certificates used to sign the system scripts:
TSA (Time-Stamping Authority) signing certificate and CA chain
Use the following links to download the TSA (Time-Stamping Authority) signing and intermediate root CA certificates: