Menu Close

Create a Code Signing Cert with Internal PKI for MSIX Packages

In this post I will be covering the steps needed to create a code signing certificate through an internal PKI which can then be used to sign your MSIX packages.

Create the Template

  • Launch Certification Authority from your CA, right-click Certificate Templates and select Manage.
  • From the Certificate Templates page, right-click on Code Signing and select Duplicate Template.


  • On the General tab, provide the name for the new template based on your organization’s naming standards (for example, MSIX Code Signing).
  • From the Compatibility tab, change the Certificate Authority to Windows Server 2008 R2 or higher and change the Certificate Recipient to Windows 7/Server 2008 R2 or higher.


  • From the Request Handling tab, check the box Allow private key to be exported.
  • On the Extensions tab, select Basic Constraints and click Edit. Check the box Enable this extension and click OK.

Note: If this checkbox is grayed out, make sure the certificate template is set properly on the Compatibility tab.


  • On the Subject Name tab, select Supply in the request radio button and click OK on the warning dialog.
  • On the Security tab, add a user or group to allow them to enroll the certificate and select the Read and Enroll permissions.
  • Select OK to complete the template creation and close the Certificate Templates page.
  • From the Certification Authority page, right-click Certificate Templates, select New > Certificate Template to Issue. Select your newly created template and click OK.

Request the Certificate

  • Open an MMC and go to File > Add/Remove Snap-in…
  • Select Certificates, click Add, select My User account radio button (make sure you are signed in as a user that was granted enroll permissions outlined in previous steps), click Finish and then OK.
  • In the MMC, navigate to Certificates – Current user > Personal. Right-click Personal and select All Tasks > Request New Certificate.

  • From the Before You Begin screen, click Next.On the Select Certificate Enrollment Policy screen, verify Active Directory Enrollment Policy is selected, and click Next.
  • On the Request Certificates screen, click on the link below the MSIX Code Signing (or whatever you decided to name it) template to configure additional settings.

  • On the Certificate Properties screen, under Subject Name, drop-down and select Common Name. This value should be unique to your organization (for example, or just fmtrout) and will also be used as the Publisher in the MSIX package.
  • Once complete, click Add.

  • Back at the Request Certificates screen, make sure the template is selected and click Enroll.

Export the Certificate

  • Back at the MMC console window, navigate again to Certificates – Current User > Personal > Certificates and you should see the certificate we just imported from the last section.
  • Right-click the new certificate and select All Tasks > Export.

  • From the Welcome screen, click Next.
  • From the Export Private Key screen, select Yes, export the private key and click Next.

  • From the Export File Format screen, select Personal Information Exchange – PKCS #12 (.PFX), select Include all certificates in the certificate path if possible and Export all extended properties, and click Next.

  • On the Security screen, select Password and enter a password, then click Next.
  • From the File to Export screen, browse to a location to save the certificate and click Next.
  • From the Completing the Certificate Export Wizard screen, review the details of the export and click Finish.
%d bloggers like this: