Signing a PowerShell script with self-signed certificates (and without makecert.exe)
Thinking about this, you don't need a certificate chain trust, therefore, you don't need your first certificate. You can use the second certificate and move it into your Trusted Root folder and it will work. Using the first certificate and then creating another certificate seems to fail because the 'root' is self signed and then can't sign another certificate.
SELF SIGNED CERTIFICATE method
# Create a certificate to use for signing powershell scripts$selfsigncert = New-SelfSignedCertificate ` -Subject "CN=PowerShell Code Signing" ` -KeyAlgorithm RSA ` -KeyLength 2048 ` -Type CodeSigningCert ` -CertStoreLocation Cert:\LocalMachine\My\# Move the root cert into Trusted Root CAsMove-Item "Cert:\LocalMachine\My\$($selfsigncert.Thumbprint)" Cert:\LocalMachine\Root# Obtain a reference to the code signing cert in Trusted Root$selfsignrootcert = "Cert:\LocalMachine\Root\$($selfsigncert.Thumbprint)"# Sign scriptSet-AuthenticodeSignature C:\powershell.ps1 $selfsignrootcertIf you have access to an Enterprise Root CA, you can use the method you have used in your question.
ENTERPRISE ROOT CA method (same method as you have in your question) - you need to know your Root CA certificate thumbprint
# Get Enterprise Root CA thumbprint$rootcert = get-childitem Cert:\LocalMachine\Root\XXXXXXXXXXXX# Generate certificate$fromrootcert = New-SelfSignedCertificate ` -Signer $rootcert ` -Subject "CN=PowerShell Code Signing" ` -KeyAlgorithm RSA ` -KeyLength 2048 ` -Type CodeSigningCert ` -CertStoreLocation Cert:\LocalMachine\My\# Sign scriptSet-AuthenticodeSignature C:\powershell.ps1 $fromrootcert
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Type CodeSigningCert -Subject "Code Signing"Move-Item -Path $cert.PSPath -Destination "Cert:\CurrentUser\Root"Set-AuthenticodeSignature -FilePath c:\go.ps1 -Certificate $certsourcehttps://blogs.u2u.be/u2u/post/creating-a-self-signed-code-signing-certificate-from-powershell