Forum Discussion
Solved
Is it true that users need to uninstall and reinstall when the certificate changes.
Hi MSIX team,
Can you please assist and provide clarity. I am new to MSIX, and I am considering the technology, mostly because of the auto updates and security.
I have one concern which I would like to clarify. My concern is what happens to applications that require updating, but where the certificate has expired? What is the experience for the end user.
Is it true that users, would need to uninstall the application, and then manually re-install, in order to receive updates, because that is the only way to receive a new certificate, and therefor the application will not receive updates once the certificate expires.
Meaning once the certificate expires, you have no means to update the user, without user intervention - auto updates are limited to while the certificate is valid.
Also please highlight if this applies to both Windows 10 and Windows 11.
Thank you.
I have watched the video below, and I feel some points may no longer be valid.
- Warning: Not an official answer.
If the Subject field of the certificate (AKA Publisher Name) is identical in the new certificate, the process is as simple as signing with the new certificate. Unfortunately, for public certificates, the standards for what the CA will put into that field has been changing the last few years, which causes this issue.
Microsoft has created a method for the generator of a package to be able to replace the certificate with one using a different Subject field in a new version of the package, and retain upgrade capability. This process requires that a step be taken BEFORE the old certificate expires. See https://learn.microsoft.com/en-us/windows/msix/package/persistent-identity
I personally find this a possible solution, but not very workable in practice. So I just tell my customers taking the packages from my site rather than the Microsoft Store (which avoids this problem since they are their own CA) to uninstall/install once a year.
- Warning: Not an official answer.
If the Subject field of the certificate (AKA Publisher Name) is identical in the new certificate, the process is as simple as signing with the new certificate. Unfortunately, for public certificates, the standards for what the CA will put into that field has been changing the last few years, which causes this issue.
Microsoft has created a method for the generator of a package to be able to replace the certificate with one using a different Subject field in a new version of the package, and retain upgrade capability. This process requires that a step be taken BEFORE the old certificate expires. See https://learn.microsoft.com/en-us/windows/msix/package/persistent-identity
I personally find this a possible solution, but not very workable in practice. So I just tell my customers taking the packages from my site rather than the Microsoft Store (which avoids this problem since they are their own CA) to uninstall/install once a year.
