Reputation: 883
Buy and integrate extern certificates for UWP app
Im just a little overwhelmed by all the certificates and I hope I can find some help here.
So basically I have an sideloaded UWP app (that I created with Visual Studio) where the certificate is running out in the next few days. I was able to extend the certificate by creating a new one which also can stay alive for 1 year. But I wondered if it is possible to extend it from 1 year to like 5 years or so. The "solutions" I found are either to buy a certificate or to create one myself.
Well about buying one: I´ve been looking trough the internet but could not tell what I am actually looking for. There are a few different certificates and I don´t know which I need for an UWP app. Does anyone know what I have to look at? Buying one is expensive and I would rather not buy the wrong one.
Now about creating one myself. There are a few suggestions on how to do it but after reading trough some of the suggestions it felt like the "guides" were incomplete. Some ways were deprecated. Some other have not give me enough information for me to do it myself. Does anyone have a good guide on how to create an own certificate with a longer lifecycle for sideloaded UWP apps?
(Also an not so important question for now but later it propably will be important. How would you integrate a bought/self-created certificate?)
edit
Alright so far I have created a certificate for package signing like this: I opened the Power Shell and wrote this in it:
$notAfter = [datetime]::Today.AddYears(5)
$thumb = (New-SelfSignedCertificate -Type Custom -Subject "CN=myCN" -KeyUsage DigitalSignature -FriendlyName iTest -CertStoreLocation "Cert:\LocalMachine\My" -NotAfter $notAfter).Thumbprint
$pwd = ConvertTo-SecureString -String t -Force -AsPlainText
Export-PfxCertificate -cert "Cert:\LocalMachine\My\$thumb" -FilePath C:\MyTest.pfx -Password $pwd
Then I installed this certificate like this:
- From the Windows RT PC, either map the network share or connect the USB drive where you can access the AppPackages folder that contains the app package to install. Use Windows Explorer to open that folder.
- Double-tap the certificate file in the folder and then tap Install Certificate. This displays the Certificate Import Wizard.
- In the Store Location group, tap the radio button to change the selected option to Local Machine.
- Click Next. Tap OK to confirm the UAC dialog.
- In the next screen of the Certificate Import Wizard, change the selected option to Place all certificates in the following store.
- Tap the Browse button. In the Select Certificate Store pop-up window, scroll down and select Trusted People, and then tap OK.
- Tap the Next button; a new screen appears. Tap the Finish button.
- A confirmation dialog should appear; if so, click OK. (If a different dialog indicates that there is some problem with the certificate, you may need to do some certificate troubleshooting. However, describing what to do in that case is beyond the scope of this topic.)
Then in Visual Studio I go into the properties of my Package.appxmanifest
-> Choose Certificate -> Select from file
I pick my file and get this Error message:
The Manifest Designer could not import the certificate.
The certificate you selected is not valid for signing because it is either expired or has another issue. For more information, see http://go.microsoft.com/fwlink/?LinkID=241478.
But this does not help me. I guess Im missing alot of steps. What else do I need to do?
edit2
I tried to use the signtool with windows powershell:
signtool sign /fd sha256 /a /f C:\MyTest.pfx /p t C:\path\to\Package.appxmanifest
This did not work. Error message (free translation from german to english):
signtool : The name "signtool" has not been identified as a name of an Cmdlet, a function, a scriptfile or as an executable file. Check the correct name or the path for it and try again.
My signtool.exe is here: C:\Program Files (x86)\Windows Kits\10\bin\x86
Upvotes: 1
Views: 950
Answers (1)
Reputation: 169340
When you create a self-signed certificate using the New-SelfSignedCertificate PowerShell cmdlet, you could use the NotAfter parameter to specify the date and time when the certificate expires. Please see the docs for an example.
The certificate must then be installed on the device where you intend to sideload the app. Please refer to the docs and this answer for more information about how to sideload an app on Windows 10. You basically need to turn on sideloading and import the certificate.
If the app is signed with a certificate that chains to a trusted root authority on the client machine, you don't need to import the certificate. Most certificates that you buy from a certificate authority (CA) is.
Upvotes: 1
Related Questions
- How to install UWP package without certificate?
- How to certificate an UWP .appxbundle?
- How to use ssl certificate in uwp
- Bad Certificate for UWP app (Error code 0x800B0109)
- How to create a working trusted and or self-signed certificate for a Windows 10 UWP application via Visual Studio 2019, 2017 and 2015
- UWP - Certificate runs out soon. What are my options?
- Installing trust anchors or certificates from UWP app
- How to created a UWP app with a certificate that can be sideloaded
- working with certificates for server connection
- UWP Code Signing