locked
Which Certificate to use for Enterprise Sideloading (UWP App) RRS feed

  • Question

  • Hi,

    We need to deploy the app(using Sideloading) in enterprise environment without publishing to store(public/private/store for business) in multiple machines(using SCCM).   

    Question A: We need to sign the appx package. For that whether to use self-signed certificate or certificate from trusted CA, which certificate is the recommended and why? 

    Question B: If we sign and deploy using self-signed for version 1, for version 2 can we use Trusted CA certificate and deploy. is it possible or will there be any problem?

    Question C: Regarding expiry date for certificate. If we buy Trusted CA certificate, we can get a longer expiry date but we can also create self-signed certificate with longer expiry date. so why do we need to buy Trusted CA certificate ?

    Question D: If self-signed certificate is not recommended for side loading in enterprise environment, what are the reasons?

    Wednesday, October 11, 2017 5:29 AM

All replies

  • Hello,

    There is many certificate types , code signing , EVA cod signing , each have its specific purpose .

    If you have windows developer account (individual or company) the you can just reserve your app name and then just associate your package with that app in VS the each time you create appx package you get signed package and you can manually deploy to target devices. 

    If you does't what to have anything with store then I recommend to you use EV Code Signing certificate because of your target devices can have policies which doesn't allow to you install self signed apps or apps comes form internet. 


    Make the community better together

    Wednesday, October 11, 2017 7:20 AM
  • Hello,

    >QA&QC&QD:

    For enterprise use, you'd better purchase a certificate from CA to sign your package to ensure a safe, secure experience for you and your customers.

    The reason you should choose certificate from CA could be various. It can reduce security warning as their root certificate has been preinstalled on most devices and embedded in most applications. Moreover, it can protect your code integrity and users will have security warning or fail to download if the hash used to sign doesn't match the hash used to download your app.

    For more details, please check this blog: https://www.symantec.com/page.jsp?id=code-signing-information-center#6 

    And the reason for not recommending the self-signed certificate is that the self-signed certificate cannot be revoked unlike CA certificate. Once your private key gets stolen by someone else, they can pretend you to communicate with your customers.

    >QB:

    No, you can't unless you uninstall the version 1. You need to use the same certificate to sign your subsequent version packages and remember to make the version number higher so that you could install it without uninstalling the old version one.  

    Thank you.

    Best regards,

    Mattew Wu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Proposed as answer by Mattew Wu Monday, October 30, 2017 1:41 AM
    Wednesday, October 11, 2017 8:10 AM
  • Thanks for the reply.

    Its clear for Enterprise scenario. 

    Question A: For non-enterprise scenario, We have an app version 1 uploaded in store using "test certificate" created from visual studio. Now can we use a CA certificate to sign the package and upload it for  version 2 ?

    Question B: if we get certificate from CA and sign package for version 2, Do we need to change the PublisherID ?  or do we need to provide our publisher ID to get CA code signing Certificate?

    Friday, October 13, 2017 10:17 AM
  • Hello,

    A) Store automatically sign your package with your devcenter account authority 

    B) I'm not sure but you can not upload package with different publisher.


    Make the community better together

    Friday, October 13, 2017 1:41 PM
  • Hello,

    i would like to continue discussion within this topic.

    First, let me explain you the context:

    we already uploaded an app to the store. A PublisherId has been associated to the app by Microsoft with a new PackageSID on the Dashboard. The publisherId is more or less representing our company into the store. We didn't sign this app since it is done by the store so far. So we have no issue and we are able to submit new packages for this app.

    By the way, some of our customers don't want to rely on the store. They want to get an signed app installer by us and be able to install it (without requesting their end-users to downlaod and install it). So for that, we are signing the appx with a CA certificate.

    So now, we are facing an issue because:

    - we can't change the publisherId to match the one of the CA certificate -> because the same app on store or sideload will have 2 different publisherId and later we can encounter some issues especially with push notifications scenarios.

    - if we don't change the publisherId, we are not able to sign. We are getting the following error

    error 0x8007000B: The app manifest publisher name (CN=...) 
    must match the subject name of the signing certificate 
    (CN={....).


    In this situation, can you please advice us ?

    Regard

    /daniel







    Monday, November 6, 2017 8:58 AM
  • Hi Daniel,

    >we can't change the publisherId to match the one of the CA certificate -> because the same app on store or sideload will have 2 different publisherId and later we can encounter some issues especially with push notifications scenarios.

    How do you implement pushing notification service in your app? I don't think it has something to do with the publisher Id. If you use UWP targeted notification service in Dev Center, it will only work with the app acquired from Store. You could create certification channel by yourself and push notification so that both the Store app and sideloaded app will receive your service once they get installed.

    >- if we don't change the publisherId, we are not able to sign. We are getting the following error error 0x8007000B: The app manifest publisher name (CN=...) must match the subject name of the signing certificate (CN={....).

    Since the CA certificate has a different publisher Id with your developer account side, you will need to change it in package manifest so that you could sign it. Certificate is just used to make sure this package file is sent by you to keep security. In most cases, it won't make effect on your app service. Even if you keep the pulisher id same, the Store service still works for only Store package not sideloaded package.

    Best regards,

    Mattew Wu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Proposed as answer by Mattew Wu Wednesday, November 8, 2017 2:50 AM
    Tuesday, November 7, 2017 8:09 AM
  • Hi Mattew Wu

    "You could create certification channel by yourself and push notification so that both the Store app and sideloaded app will receive your service once they get installed."

    Could you please explain more on your comment above ?

    If you change the publisherID in app manifest to match with CA certificate for signing. Then you will not receive push since it's not matching with the publisherID which we get when we associate app to store.


    raja

    Wednesday, March 21, 2018 11:40 AM