Signing Windows 8 applications using an Internal PKI

So – your development cycles have been completed and now you are ready to deploy the much anticipated Windows 8 based application that you have developed to your clients. You will quickly realize that the deployment of your newly created Windows 8 application cannot happen until the appx assembly has been signed. All methods of deployment (Windows Store, PowerShell or System Center 2012 Configuration Manager) require the application to be signed using a certificate issued by a trusted source before you can deploy it.

If your application was developed with the intention of staying within the corporate landscape, then you may use a certificate issued by an internally hosted trusted CA. A lot of documentation is available about the requirements of the certificate issued, but a how-to guide was not available until now. This blog post will walk you through the steps required to install an internally developed application to production systems.

The screen captures in this blog post are performed using Windows Server 2012 Domain Controller, Windows Server 2012 Certificate Authority, Visual Studio 2012 and Windows 8 Enterprise. The procedures for Windows Server 2008 R2 vary slightly, but the same certificate requirements can been completed.

The diagram below identifies the workflow that this blog post will walk you through.



Get the Certificate

Visual Studio will validate the certificate used to sign the app in the following ways:

  • Verifies the presence of the Basic Constraints extension and its value, which must be either Subject Type=End Entity or unspecified.
  • Verifies the value of the Enhanced Key Usage property, which must contain Code Signing and may also contain Lifetime Signing. Any other EKUs are prohibited.
  • Verifies the value of the KeyUsage (KU) property, which must be either Unset or DigitalSignature.
  • Verifies the existence of a private key exists.
  • Verifies whether the certificate is active, hasn’t expired, and hasn't been revoked.

Create the Template

The built-in Windows 2008 R2 or Windows 2012 templates will not allow the creation of a certificate which meets all of these requirements. A new template must be created which allows the issuance of a properly configured certificate.

Load an MMC and add the Certificate Authority and Certificate Templates


Select Certificate Templates > Right Click on Code Signing > Duplicate Template


On the Compatibility tab

· Change Certificate Authority to Windows Server 2008 R2 or Higher

· Change the Certificate Recipient to Windows 7/Server 2008 R2 or Higher

Note: These two changes allow the Basic Constraints Extension to be enabled.


On the Request Handling tab

· Check the box to allow private key to be exported


On the General tab

· Provide a useful name for this new template


On the Extensions tab

· Click on the Application Policies Extension and verify Code Signing

Note: For additional security, you can also add the Lifetime Signing extension to this template to ensure the signing certificate is no longer valid after expiration.


On the Extensions tab

· Click on Basic Constraints and click Edit and check the box to Enable this extension.

Note: If this checkbox is grayed out, make sure the certificate template is set properly on the Compatibility tab


On the Subject Name tab

· Select the Supply in the request radio button and Click OK on the warning


On the Security tab

· Add a user or group to allow them to enroll the certificate. The must have the Read and Enroll permissions.


In the MMC, expand Certificate Authority > {CAName} > Right Click Certificate Templates > New > Certificate Template to Issue

Select the Template Name just created > Click OK


Notice the APPX Code Signing Template is now listed on the CA under Certificate Templates


Request the Certificate

The certificate template has been created and now must be requested to generate a .cer file that will be placed in the local store on the computer the request is made from. It doesn’t matter which system makes the request because the .cer is immediately used to generate the .pfx file needed to sign the application.

Open an MMC and add the certificates snap-in and select My User account radio button.

In the MMC > Expand Certificates – Current user > Personal > Right Click on Certificates > All Tasks > Request New Certificate

Note: The computer store can be used as well, but the computer account would need permission to enroll the certificate. In this example, we only added permissions for the application developers group.


Click Next on the Before You Begin screen


On the Select Certificate Enrollment Policy screen

· Ensure Active Directory Enrollment Policy is selected

· Click Next


On the Request Certificates screen

· Click on the link below the APPX Code Signing template to configure additional settings

Note: The Enroll button cannot be selected until the missing settings are configured


On the Certificate Properties screen

· Under Subject Name the type should be Common Name

· Value must be the same as the Publisher value in the Visual Studio 2012 package.appxmanifest

· Click Add

Note: The CN= is automatically appended and is not required when typing the Publisher Name. In this example just ContosoAppDev was entered in the value textbox.



On the Request Certificates screen

· APPX Code Signing is selected

· Click Enroll


On the Certificate Installation Results screen

· Check the status

· Click finish


On the Certificates – Current User MMC

· The new certificate will be listed



Export to PFX

Visual Studio requires the .pfx format to sign the application. In the previous step, we generated a .cer file which is located in the user store. We need to convert that .cer to a .pfx in preparation for signing.

On the Certificates – Current User MMC

· Right Click the New Certificate > Click All Tasks > Click Export


On the Welcome screen

· Click Next


On the Export Private key screen

· Click ‘Yes, export the private key’

· Click Next


On the Export File Format screen

· Ensure Personal Information Exchange is selected

· Ensure Include all certificates in the certification path if possible is checked

· Check Export all extended properties

· Click Next


On the Security screen

· Select the Password checkbox

· Enter a password (this will be needed during import into Visual Studio 2012)

· Click Next


On the File to Export screen

· Provide a path and filename

· Click Next


On the Completing the Certificate Export Wizard screen

· Click Next


On the Certificate Export Wizard message box

· Click OK


Sign the Application

Open Windows Explorer to the location where the pfx file was saved.

Note: The pfx file should be moved to a computer with VS 2012 installed.


Open Visual Studio 2012 project to be signed

· double click the package.appxmanifest

· Click Choose Certificate…


On the Choose Certificate screen

· Click Configure Certificate > Select from File…


On the Select File screen

· Navigate to and select the exported PFX file

· Click Open


On the Enter Password screen

· Enter Password

· Click OK


On the Choose Certificate screen

· Click OK


Package the signed APPX

We have created the .pfx file needed to sign the application in the previous steps, so now we can sign our application.

Open Visual Studio 2012 project to be packaged


Inside the project

· Right click the Project

· Click Rebuild


Inside Solution Explorer

· Right click the solution to be packaged

· Click Store

· Click Create App Package


On Create Your Package screen

· Select No

· Click Next


On the Select and Configure Packages screen

· Specify the path for the package to be placed

· Click Create


On the Package Creation Completed screen

· Click OK

Note: You may click on the link provided to navigate to the location the package was placed.


Configure Group Policy

In order to deploy a Windows 8 application using Side loading, the computer receiving the package must either have a developer license (used for testing purposes only) or appropriate local/group policy settings to ensure the applications which are trusted can be installed.

Open Group Policy Management

· Right click where you want to link the new Group Policy

· Click Create a GPO in this domain and Link it here…

Note: The Windows 8 systems must be located within the location where the new GPO is being linked


On the new GPO screen

· Name the GPO appropriately

· Click OK


On the GPMC

· Right click the new policy

· Click Edit…


On the Group Policy Management Editor screen

· Expand Computer Configuration > Policies > Administrative Templates > Windows Components > App Package Deployment

· Right Click Allow all trusted apps to install > Click Edit


On Allow trusted apps to install screen

· Select Enabled

· Click OK



This post was contributed by John Taylor, a Senior Consultant with Microsoft National IT Operational Consulting – US.

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use .

Signing Windows 8 apps using an Internal PKI.docx