Forum Discussion
Solved
Is it true that users need to uninstall and reinstall when the certificate changes.
Hi MSIX team, Can you please assist and provide clarity. I am new to MSIX, and I am considering the technology, mostly because of the auto updates and security. I have one concern which I woul...
- Warning: Not an official answer.
If the Subject field of the certificate (AKA Publisher Name) is identical in the new certificate, the process is as simple as signing with the new certificate. Unfortunately, for public certificates, the standards for what the CA will put into that field has been changing the last few years, which causes this issue.
Microsoft has created a method for the generator of a package to be able to replace the certificate with one using a different Subject field in a new version of the package, and retain upgrade capability. This process requires that a step be taken BEFORE the old certificate expires. See https://learn.microsoft.com/en-us/windows/msix/package/persistent-identity
I personally find this a possible solution, but not very workable in practice. So I just tell my customers taking the packages from my site rather than the Microsoft Store (which avoids this problem since they are their own CA) to uninstall/install once a year.
Warning: Not an official answer.
If the Subject field of the certificate (AKA Publisher Name) is identical in the new certificate, the process is as simple as signing with the new certificate. Unfortunately, for public certificates, the standards for what the CA will put into that field has been changing the last few years, which causes this issue.
Microsoft has created a method for the generator of a package to be able to replace the certificate with one using a different Subject field in a new version of the package, and retain upgrade capability. This process requires that a step be taken BEFORE the old certificate expires. See https://learn.microsoft.com/en-us/windows/msix/package/persistent-identity
I personally find this a possible solution, but not very workable in practice. So I just tell my customers taking the packages from my site rather than the Microsoft Store (which avoids this problem since they are their own CA) to uninstall/install once a year.
If the Subject field of the certificate (AKA Publisher Name) is identical in the new certificate, the process is as simple as signing with the new certificate. Unfortunately, for public certificates, the standards for what the CA will put into that field has been changing the last few years, which causes this issue.
Microsoft has created a method for the generator of a package to be able to replace the certificate with one using a different Subject field in a new version of the package, and retain upgrade capability. This process requires that a step be taken BEFORE the old certificate expires. See https://learn.microsoft.com/en-us/windows/msix/package/persistent-identity
I personally find this a possible solution, but not very workable in practice. So I just tell my customers taking the packages from my site rather than the Microsoft Store (which avoids this problem since they are their own CA) to uninstall/install once a year.