Create code signing certificate from Enterprise CA for sideloading Store app RRS feed

  • Question

  • I've seen numerous blog and forum posts about how to create a cert for signing a Store app so it can be sideloaded in the enterprise. None have provided complete instructions. Here's an example of one thread that seems to come close, but I've not been able to get it to work: https://social.msdn.microsoft.com/forums/windowsapps/en-us/d858d189-6d14-4c8d-809d-d6c841dd8866/using-domain-certificate-for-app-signing

    The problem? VS2013 complains with the following message: "The certificate you selected is not valid for signing because it is either expired or has another issue."

    Here's my scenario for which I need help:

    • Win 8.1 Store app to be sideloaded onto Win 8.1 Pro devices joined to the domain in the enterprise.
    • We need to create a code-signing cert that is trusted by our CA in order to publish.

    I've tried:

    • Created the cert from our CA using the wizard in the MMC console, being careful to specify that it is a code-singing cert, it contains the "Digital Signature" Usage Key, "Code Signing" and "Lifetime Signing" Enhance Usage Keys, and making sure the CN equals the CN specified in the project's AppxManifest.xml file. Exported and tried to select from within VS, using the "Choose Certificate..." button in the Packaging tab of the Package.appmanifest interface.
    • Created a cert from our CA using reqcert, following the instructions in the forum post I linked to above.

    The certificate issued from our CA always comes back with a CN that does not match the name I specify. That is, instead of Subject being "CN=myname," it comes back as "CN=name, my" as well as "OU=Users", etc.

    Are there known, good instructions somewhere that I can reference? What am I missing? Thanks.

    Thursday, October 23, 2014 1:02 PM


All replies

  • See How to create an app package signing certificate.


    Friday, October 24, 2014 2:18 PM
  • Thanks, but I don't believe that link demonstrates the preferred way of doing it. Note that the article says the instructions are used to "create a test code signing certificate." Secondly, it states the article's purpose as "If you don't use Microsoft Visual Studio 2012 to create and sign your app packages, you need to create and manage your own code signing certificates." In other words, if you aren't using VS to create the cert, you can do it this other way.

    Both of those statements seem to imply that those instructions are not the preferred/normal way, and it is also not the way for production code.

    Friday, October 24, 2014 2:39 PM
  • There are several blogs that provide information for generating a code signing certificate for use in Enterprise distribution of Windows Store applications:




    Have you already read these?

    All of these blogs use the method of creating a new certificate template with the appropriate settings and then using that template when requesting the certificate.  Did you create a new template or did you use the default code signing template?

    Also, all of these blogs make a point of enabling Basic Constraints, which I did not see mentioned in your post or in the other forum thread you referenced.

    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    • Marked as answer by Tim SF Friday, October 24, 2014 6:22 PM
    Friday, October 24, 2014 5:00 PM
  • Excellent. Thank you. The TechNet link you provided was perfect. I had known about the Basic Constraints from observing the dev cert that Visual Studio creates, but I was unable to change that in the default template. I didn't realize, as the article showed, that I needed to create a new template. Thanks, again.

    Friday, October 24, 2014 6:24 PM