none
Using domain certificate for app signing

    Question

  • I would like to use a code signing cert provided by my domain CA to sign my Metro app for eventual in-house sideloading.  I've followed all of the required steps for generating the code signing certificate, but when I try to select the certificate from VS 2012, it reports "No certificate available -- No certificates meet the application criteria."  Any thoughts on how I can use a domain-issued code signing cert to sign my Windows 8 app?

    More detail on what I'm doing:

    On server:

    • Make duplicate of Code Signing certificate template in 'Certificate Templates' plug-in
    • Set security setting on duplicate template to allow 'Enroll' for Domain Users
    • Add duplicate template to CA using 'Certification Authority' plug-in and 'New'...'Certificate template to issue'

    On development machine (Windows 8 Pro RTM with VS 2012):

    • Log on as domain user
    • Access server/certsrv from IE
    • 'Download a CA certificate' and follow prompts to install domain CA cert in 'Trusted Root Certification Authorities'.  Very domain CA cert is installed and valid.
    • Access server/certsrv from IE
    • 'Request a certificate'...'Advanced certificate request'
    • 'Create and submit a request to this CA'
    • From Certificate Template list, select duplicate code signing cert template
    • Enter a friendly name
    • Follow prompts to request and install certificate.  Verify cert is installed and valid.

    In VS 2012:

    • Create new Visual C# Windows Store application
    • Click 'Project'...'Store'...'Edit App Manifest'
    • Go to 'Packaging' tab
    • Click 'Choose Certificate...'
    • Click 'Pick from certificate store...'
    • See popup with 'No certificates available'

    I've also tried exporting the cert to a file and selecting the cert from file in VS, but same result.

    I've verified all of the cert requirements described in "Signing an app package (Metro style apps)".

    Any suggestions appreciated.

    Thanks,

    David

    Friday, August 31, 2012 4:46 PM

Answers

  • Sorry for the delay. I was out for a few days.
    I found there should be some documentation on certificates for signing Appx packages for enterprise scenarios which should be generated in the future. In the interim, here are some property requirements for the cert that may be the reason VS is not accepting the certificate (assuming it is not expired or revoked). You can also review the self-signed cert VS creates in the project folder for comparing the differences in the fields with the cert you are attempting to use.


    1. The Subject must equal the publisher name (it needs to match the publisher name in the AppxManifest.xml which is in the generated .appx file) Rename the .appx to a .zip to easily view the contents.
    In the following case it is davidlam:
    <Identity Name="Microsoft.SDKSamples.ApplicationSettings.CPP" Publisher="CN=davidlam" Version="1.0.0.0" ProcessorArchitecture="x86" />
    2. The Key Usage (if exists) must only contain 'Digital Signature'
    3. The Enhanced Key Usage must only contain Code Signing, Lifetime Signing, or both


    Here are some example steps to request a cert from a Windows Server CA. Your internal process may vary from these steps. This assumes the CA is chained to an installed Trusted Root CA.


    1. Create the cert request
    a. Identify the proper Subject name from the <>
    b. Create an AppxCodeSign.inf with the following format:

    [NewRequest]
    Subject="CN=davidlam"
    Exportable = True

    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.3

    c. Create the cert request with the following command line:
    certreq -New AppxCodeSign.inf CodeSignReq.req


    2. Submit the request
    a. Browse to the CA site: http://WindowsCAServerName/certsrv/
    b. Click thru:
    "Request a certificate"
    "Or, submit an advanced certificate request."
    "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file."
    c. Paste the contents of the CodeSignReq.req created above into the Saved Request textbox and then submit.


    3. Reference the Cert from VS.
    Once you receive the cert, you can either reference the certificate file or if installed in a local cert store, select it from a list of available certificates.
    a. Open the Package.appxmanifest and select the Packaging tab.
    b. Select Choose Certificate and then Configure Certificate
    c. Select the appropriate location for the certificate (local store or file if not installed locally)


    Thanks!


    David Lamb

    Wednesday, September 12, 2012 8:59 PM

All replies

  • Looking into this now...

    David Lamb

    Tuesday, September 04, 2012 10:08 PM
  • Having the exact same problem as BigMetsFan.

    I'm unable to sign a basic (App1) package with a code signing cert from the CA.

    1. Choose Certificate...

    2. Click on Configure Certificate...

    3. Select from file...

    4 Browser opens and I select the Certificate.

    5 Enter Password

    6 Error : 

    "The Manifest Designer could not import the certificate."

    The certificate you selected is not valid for signing because it is either expired or has another issue. For more information, see..."

    As a reminder I did exactly the same as BigMetsFan, trying to deploy an application on our Enterprise network through domain user accounts. 

    Wednesday, September 12, 2012 10:38 AM
  • Sorry for the delay. I was out for a few days.
    I found there should be some documentation on certificates for signing Appx packages for enterprise scenarios which should be generated in the future. In the interim, here are some property requirements for the cert that may be the reason VS is not accepting the certificate (assuming it is not expired or revoked). You can also review the self-signed cert VS creates in the project folder for comparing the differences in the fields with the cert you are attempting to use.


    1. The Subject must equal the publisher name (it needs to match the publisher name in the AppxManifest.xml which is in the generated .appx file) Rename the .appx to a .zip to easily view the contents.
    In the following case it is davidlam:
    <Identity Name="Microsoft.SDKSamples.ApplicationSettings.CPP" Publisher="CN=davidlam" Version="1.0.0.0" ProcessorArchitecture="x86" />
    2. The Key Usage (if exists) must only contain 'Digital Signature'
    3. The Enhanced Key Usage must only contain Code Signing, Lifetime Signing, or both


    Here are some example steps to request a cert from a Windows Server CA. Your internal process may vary from these steps. This assumes the CA is chained to an installed Trusted Root CA.


    1. Create the cert request
    a. Identify the proper Subject name from the <>
    b. Create an AppxCodeSign.inf with the following format:

    [NewRequest]
    Subject="CN=davidlam"
    Exportable = True

    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.3

    c. Create the cert request with the following command line:
    certreq -New AppxCodeSign.inf CodeSignReq.req


    2. Submit the request
    a. Browse to the CA site: http://WindowsCAServerName/certsrv/
    b. Click thru:
    "Request a certificate"
    "Or, submit an advanced certificate request."
    "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file."
    c. Paste the contents of the CodeSignReq.req created above into the Saved Request textbox and then submit.


    3. Reference the Cert from VS.
    Once you receive the cert, you can either reference the certificate file or if installed in a local cert store, select it from a list of available certificates.
    a. Open the Package.appxmanifest and select the Packaging tab.
    b. Select Choose Certificate and then Configure Certificate
    c. Select the appropriate location for the certificate (local store or file if not installed locally)


    Thanks!


    David Lamb

    Wednesday, September 12, 2012 8:59 PM
  • Thank you for your time and effort in regard to my problem.

    I'll post some feedback later.

    Thursday, September 13, 2012 12:50 PM
  • Thanks, David.  Sorry I haven't responded sooner, but I got pulled into an "emergency" and haven't had a chance to go back and try this.

    I think my problem was that I was using an enterprise CA, so couldn't change the certificate details and set the subject CN.  If I switched to a standalone CA, I could then specify the certificate details as you described, and was able to generate a cert that I could use in VS 2012 to sign my app.

    Once I set the "Allow all trusted apps to install" group policy and logged on to the domain with a Windows 8 Enterprise system, I was able to install and use the app.

    I'm guessing there may be some way to configure an enterprise CA to allow user-configurable certificate fields, but I don't know how to do it.  This is just a test environment for me, so it's not critical.

    Thanks for the help,

    David

    Thursday, October 04, 2012 4:30 PM