locked
sign UWP app with Certificate from Smart card? RRS feed

  • Question

  • I am trying to define a deployment strategy for an internally developed and used UWP app for my organization.  We cannot publish this app to the store, so we wish to side-load it.  Currently, I am using a self-signed test certificate, and this works for our purposes of testing for the moment, but we would like to reach a more official "release" state and use a longer lasting certificate (and one that is verified by a CA, not a self-signed one).  We have smart cards with certificates available for signing emails, but I cannot import that into the VS 201x tool chain for signing UWP apps.

    I tried following these instructions, Active Directory Certificate Services (https://blogs.msdn.microsoft.com/emeamsgdev/2014/06/10/how-to-create-and-use-a-code-signing-certificate-for-clickonce-vsto-applications-using-active-directory-certificate-services/) to create a certificate that VS will at least open, but it doesn't like it (invalid entries in the certificate).  Even if VS would take it, it likely wouldn't work for all users since it is AD based, and some of our systems will be off-line.

    The only seemingly viable option I can find is to buy a Code Signing Cert from a public CA (like Thawte) and keep it up to date.  Which *is* an option, but seeing as all the systems that will receive this code install are internal, it seems like our internal Authority chain should have some means of generating the necessary certificate without going to a 3rd party, and all of us (developers and users) have smart cards with signature certs that I would think could be used for this purpose.

    Anyone have any pointers?


    • Edited by jasells Tuesday, July 3, 2018 6:26 PM
    Tuesday, July 3, 2018 6:26 PM

All replies

  • Hi jasells,
    >all of us have smart cards with signature certs that I would think could be used for this purpose
    Since I do not have the detailed information about your smart cards and the certificate in it. In my opinion, the certificate-based smart card should be able to sign the UWP package.

    >We cannot publish this app to the store, so we wish to side-load it. 
    As we all know that when submitting the app through the Windows Dev Center, the Store will automatically help you maintain your certificate and package without requiring you to manually maintain it. However using the way of sideloading you need to manually maintain the package and certificate once the app has any update.
    If the reason that you don’t want to publish your app to store is because that publishing in the store will make your app be invisible to public, I will recommend you use the following two ways to publish the app to the store but make your app be invisible to the Public

    The first way is that please set your app to be hidden in the store, in this way the hidden apps can be only available with the direct link but can not been discovered in the Store. 
    The second way is that you can publish your app to your private store in the Microsoft Store for Business , in this way all employees in your organization can view and download the apps.
    For more information, please check:Distribute apps using your private store
    The third way is using the LOB app, this app can be published directly to the enterprises for volume acquisition via Microsoft Store for Business, without being broadly available in the Store.This document Distribute LOB apps to enterprises tells the steps of distributing LOB apps.

    Best Regards
    Daisy  Tian


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, July 5, 2018 8:02 AM
  • Daisy,


    Thank you for your reply.  You certainly gave me some options to consider.  I will have to look into more detail about hiding apps in the store and setting up a private store.

    Monday, July 9, 2018 2:16 PM
  • Hi jasells,

    How is your app going? Did you publish your app in private store successfully?

    Best Regards

    Daisy Tian


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, July 12, 2018 8:37 AM
  • No, we haven't published it, yet.  

    We probably need a private Enterprise Store set up, but we don't have buy-in from leadership yet to invest the time to set it up.


    We are currently just manually distributing and side-loading our app.  
    • Edited by jasells Tuesday, January 15, 2019 7:39 PM
    Tuesday, January 15, 2019 7:38 PM
  • Hi Jasells, were you ever able to sign the app to see whether that fixed your issues? The issue i'm having is that on our user's computers, who have the "sideload apps" setting chosen (in 'for developer settings on win10')...they can run the app with our self signed app...but they can't use it to authenticate using a smart card...the certificate picker comes up but the PIN dialog never does...the only way it does for me is because i'm in 'developer mode'. I thought maybe signing the app with a 'real' certificate might help...but am not sure. Any updates?

    Just a guy trying to get things done.

    Monday, December 16, 2019 2:12 PM