[UWP] Create the right certificate for sideloading

Question

Greetings !

We created a UWP App which is already in the official MS Store. Besides that we need the app to connect local networks, which is not possible to archive with a cordova uwp app in remote mode, with the privateNetwork capability activated.

So we modified the app for sideloading and it works just fine on the development pc.
We followed this guide : https://docs.microsoft.com/de-de/windows/application-management/sideload-apps-in-windows-10#how-do-i-sideload-an-app-on-desktop

And that also worked just fine. But our sysadmins are not satisfied with this solution to use a self signed certificate from the development pc to trust on all pcs within the domain. 

So we tried to find a way to use a certificate issued by us to sign the app with, just like a certificate for a trusted web server.
And thats the point we are not able to figure out. 

We used the latest Visual Studio and the package.windows10.appxmanifest to choose the certificate to build the app, but all certificates we used, did not seem to work and failed with this code : 
https://msdn.microsoft.com/de-DE/Library/windows/apps/br230260(v=vs.110).aspx

Can someone explain us, how to get the right certificate?

Thank you for your time

Regards

Answer 1

Hello,

1) The first way is to use Microsoft Store for Business for your company and upload your LOB app to that store for distribution within company (In this case store automatically sign your package )

2) The second is to use code signing certificate or EV code signing certificate  from any trusted provider .

---

Make the community better together

Answer 2

Thank you for your answer.

To 1) Sadly this is not possible, because the app for the Business Store must also comply with the MS Store Policies (https://docs.microsoft.com/de-de/legal/windows/agreements/store-policies). But because we enabled  the privateNetwork capability, the verification for the store policies fails for a cordova app

Therefore we wanted to use the sideload mechanic.

2) Is there no way to generate a certificate, just like Visual Studio does for testing, that is valid within a certain business domain / active directory ? 
    We tried it like this : https://social.technet.microsoft.com/wiki/contents/articles/10377.create-a-certificate-request-using-microsoft-management-console-mmc.aspx
    But Visual Studio did not accept certification file (.pfx), as mentioned before (https://msdn.microsoft.com/de-DE/Library/windows/apps/br230260(v=vs.110).aspx)

Answer 3

Hi Puracy,

Maybe you need to buy a certificate to check if it can meet your requirement.

Best regards,

Roy

---

MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

Answer 4

@Puracy what if your sysadmins use their on CA (Active Directory Certificate Services) ?

br
Andre

Answer 5

@Andre

Thats what we tried to do. But Visual Studio did not accept the certificate issued by our CA .
Can you provide us a description how to create the right certificate?

Kind Regards. 

Answer 6

But Visual Studio did not accept the certificate issued by our CA

not accepted means what ? did you see an error message ?

"by our CA" can you confirm the CA is installed as Enterprise Root CA ?

what template and properties (beside the default ones) have you used ?

should be CodeSigning

br
Andre

Answer 7

Visual Studio returned this error code :
https://msdn.microsoft.com/de-DE/Library/windows/apps/br230260(v=vs.110).aspx

It is a Web Server Template and the Key Usage is set to Digital Signature. May this be the fault and it has to say code signing in this key ?

Answer 8

you link does not point to an error message 

try to guess the intended use case for a "Web Server Template"... to help it is not Code Signing

looks like no sysadmin did take a look at the properties of the Visual Studio certificates or compared those with own generated ones ;)

br
Andre

Answer 9

Indeed this is not an error page, but this is the page you get redirected to if you fill in the error code visual studio provided. 
No i must admit our sys admins are a bit lazy, but thanks to you i know what i have to face them with :D
Thank you very much.

Answer 10

Greetings Puracy,

Did you ever solve this problem? I self-signed my app with a certificate and it shows as a 'trusted app' when I install it. I have an HTML5 Cordova app that accesses some web services, and needs to authenticate via a smart card...it allows me to choose a certificate but it never presents me with the PIN dialog. Though it DOES work on my development machine (because of developer mode)...though it's not feasible for me to change all user's computers to use developer mode (their computers have "sideload apps" selected).

thanks

---

Just a guy trying to get things done.