考虑到这一点，您不需要证书链信任，因此您不需要第一份证书。您可以使用第二个证书并将其移到受信任的根文件夹中，它将起作用。使用第一个证书然后创建另一个证书似乎失败，因为'root'是自签名的，然后无法签名另一个证书。

Thinking about this, you don't need a certificate chain trust, therefore, you don't need your first certificate. You can use the second certificate and move it into your Trusted Root folder and it will work. Using the first certificate and then creating another certificate seems to fail because the 'root' is self signed and then can't sign another certificate.

SELF SIGNED CERTIFICATE方法

SELF SIGNED CERTIFICATE method

# Create a certificate to use for signing powershell scripts
$selfsigncert = New-SelfSignedCertificate `
                -Subject "CN=PowerShell Code Signing" `
                -KeyAlgorithm RSA `
                -KeyLength 2048 `
                -Type CodeSigningCert `
                -CertStoreLocation Cert:\LocalMachine\My\

# Move the root cert into Trusted Root CAs
Move-Item "Cert:\LocalMachine\My\$($selfsigncert.Thumbprint)" Cert:\LocalMachine\Root

# Obtain a reference to the code signing cert in Trusted Root
$selfsignrootcert = "Cert:\LocalMachine\Root\$($selfsigncert.Thumbprint)"

# Sign script
Set-AuthenticodeSignature C:\powershell.ps1 $selfsignrootcert

如果您可以访问企业根CA，则可以使用问题中使用的方法。

If you have access to an Enterprise Root CA, you can use the method you have used in your question.

企业根CA方法（与您的问题相同）-您需要知道根CA证书指纹

ENTERPRISE ROOT CA method (same method as you have in your question) - you need to know your Root CA certificate thumbprint

# Get Enterprise Root CA thumbprint
$rootcert = get-childitem Cert:\LocalMachine\Root\XXXXXXXXXXXX


# Generate certificate
$fromrootcert = New-SelfSignedCertificate `
                -Signer $rootcert `
                -Subject "CN=PowerShell Code Signing" `
                -KeyAlgorithm RSA `
                -KeyLength 2048 `
                -Type CodeSigningCert `
                -CertStoreLocation Cert:\LocalMachine\My\

# Sign script
Set-AuthenticodeSignature C:\powershell.ps1 $fromrootcert