Menu Close

Create a Code Signing Cert with Internal PKI for MSIX Packages

In this post I will be covering the steps needed to create a code signing certificate through an internal PKI which can then be used to sign your MSIX packages.


Create the Template

  • Launch Certification Authority from your CA, right-click Certificate Templates and select Manage.
  • From the Certificate Templates page, right-click on Code Signing and select Duplicate Template.

templates_codesign

  • On the General tab, provide the name for the new template based on your organization’s naming standards (for example, MSIX Code Signing).
  • From the Compatibility tab, change the Certificate Authority to Windows Server 2008 R2 or higher and change the Certificate Recipient to Windows 7/Server 2008 R2 or higher.

ca_compat

  • From the Request Handling tab, check the box Allow private key to be exported.
  • On the Extensions tab, select Basic Constraints and click Edit. Check the box Enable this extension and click OK.

Note: If this checkbox is grayed out, make sure the certificate template is set properly on the Compatibility tab.

cs_ext

  • On the Subject Name tab, select Supply in the request radio button and click OK on the warning dialog.
  • On the Security tab, add a user or group to allow them to enroll the certificate and select the Read and Enroll permissions.
  • Select OK to complete the template creation and close the Certificate Templates page.
  • From the Certification Authority page, right-click Certificate Templates, select New > Certificate Template to Issue. Select your newly created template and click OK.

Request the Certificate

  • Open an MMC and go to File > Add/Remove Snap-in…
  • Select Certificates, click Add, select My User account radio button (make sure you are signed in as a user that was granted enroll permissions outlined in previous steps), click Finish and then OK.
  • In the MMC, navigate to Certificates – Current user > Personal. Right-click Personal and select All Tasks > Request New Certificate.

  • From the Before You Begin screen, click Next.On the Select Certificate Enrollment Policy screen, verify Active Directory Enrollment Policy is selected, and click Next.
  • On the Request Certificates screen, click on the link below the MSIX Code Signing (or whatever you decided to name it) template to configure additional settings.

  • On the Certificate Properties screen, under Subject Name, drop-down and select Common Name. This value should be unique to your organization (for example, fmtrout.com or just fmtrout) and will also be used as the Publisher in the MSIX package.
  • Once complete, click Add.

  • Back at the Request Certificates screen, make sure the template is selected and click Enroll.

Export the Certificate

  • Back at the MMC console window, navigate again to Certificates – Current User > Personal > Certificates and you should see the certificate we just imported from the last section.
  • Right-click the new certificate and select All Tasks > Export.

  • From the Welcome screen, click Next.
  • From the Export Private Key screen, select Yes, export the private key and click Next.

  • From the Export File Format screen, select Personal Information Exchange – PKCS #12 (.PFX), select Include all certificates in the certificate path if possible and Export all extended properties, and click Next.

  • On the Security screen, select Password and enter a password, then click Next.
  • From the File to Export screen, browse to a location to save the certificate and click Next.
  • From the Completing the Certificate Export Wizard screen, review the details of the export and click Finish.
%d bloggers like this: