Extend certificate expired date for windows app

Question

How to extend the expiry date of windows app certificate? We're side loading the app/ The main obstacle is the certificate expires every year which is a bothersome to renew it through GP cause we already have issues in our environment. We would like to extend it for at least 5 years.

I have managed to find technet articles on how to create a code signing certificate but it didnt work. Visual studio doesnt accept the certificate and gives an error message that it is corrupted or invalid. https://learn.microsoft.com/en-us/windows/uwp/packaging/create-certificate-package-signing#create-a-self-signed-certificate https://technet.microsoft.com/itpro/powershell/windows/pki/new-selfsignedcertificate

Is there any way to do it easily?

Answer 1

The process is described in Microsoft documentation, but it is convoluted. There is no "visual" part as "Visual Studio" would suggest.

To sideload an application, it is sufficient to create a self-signed certificate, which means that you trust yourself. There is no trust from a CA (certification authority) involved.

These steps worked for me. The whole process being in PowerShell run as administrator.

Create the certificate

New-SelfSignedCertificate -Type Custom -Subject "CN=Company Name, O=Company Name Inc., C=CA" -KeyUsage DigitalSignature -FriendlyName "Programming certificate, 50 years" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}") -NotBefore (Get-Date) -NotAfter (Get-Date).AddYears(50)

1. The -Subject item may contain only the CN= part, I believe the other bits are optional. O= seems to refer to the organization and C= the country code.
2. The -CertStoreLocation and -TextExtension are correct as written (see the documentation). I am not too familiar with what -CertStoreLocation really means, as I was not able to find it later, but that is what Microsoft suggests and remains irrelevant to the process.
3. The (Get-Date) bits get the current date, and .AddYears(50) would be modified to how many years the certificate should last.

The output will display the thumbprint; copy it.

Export the certificate

1. Set a password variable (confusingly, the password here is written without quotes).

   $password = ConvertTo-SecureString -String CustomPasswordYouWouldChoose -Force -AsPlainText

2. Export the certificate; paste the thumbprint in the "Cert:\CurrentUser\My..." string and choose a file path (in my case, using the C:\ drive worked fine).

   Export-PfxCertificate -cert "Cert:\CurrentUser\My\YOURTHUMBPRINTHERE" -FilePath C:\ProgrammingCertificate.pfx -Password $password

Add the certificate in Visual Studio

Go to Package.appxmanifest > Packaging > Choose Certificate... > Select from file... > then select your exported certificate.

Install the certificate on sideload deployment

Double-click the certificate file > Install Certificate... > Local Machine > Place all certificates in the following store > Browse > Trusted People > accept all and the import should be successful. Congratulations, the application is now certified by yourself.

Answer 2

You could do something like this, the subject must be same as UWP app's Publisher (package.appxmanifest):

New-SelfSignedCertificate -Type Custom -Subject "CN=Something" -TextExtension @("2.5.29.37={critical}{text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}") -KeyUsage DigitalSignature -FriendlyName "Friendly Name" -CertStoreLocation "Cert:\LocalMachine\My" -NotBefore (Get-Date) -NotAfter (Get-Date).AddYears(5)

Now export to .pfx and add the thumbprint to the PackageCertificateThumbprint