How to create CSR for MSIX Packaging

%3CLINGO-SUB%20id%3D%22lingo-sub-548270%22%20slang%3D%22en-US%22%3EHow%20to%20create%20CSR%20for%20MSIX%20Packaging%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-548270%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20-%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20company%20is%20deciding%20to%20move%20to%20MSIX.%20We%20spoke%20to%20the%20admins%20and%20they%20are%20ready%20to%20provide%20code%20signing%20cert%20but%20they%20need%20the%20CN%20for%20raising%20the%20CSR.%20They%20say%20it%20needs%20to%20be%20a%20server%20name%20but%20we%20dont%20know%20what%20that%20might%20be.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20someone%20please%20suggest%20what%20should%20be%20the%20CN%20when%20raising%20the%20CSR%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-549675%22%20slang%3D%22en-US%22%3ERE%3A%20How%20to%20create%20CSR%20for%20MSIX%20Packaging%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-549675%22%20slang%3D%22en-US%22%3EYour%20admins%20don't%20understand%20the%20difference%20between%20a%20server%20certificate%20and%20a%20code%20signing%20certificate.%20If%20you%20are%20creating%20a%20%22self%20signed%22%20code%20signing%20certificate%20using%20the%20Active%20Directory%20Certificate%20Services%2C%20the%20CN%20is%20something%20you%20make%20up%2C%20such%20as%20%22CN%3DCompanyName%22%20where%20CompanyName%20is%20the%20name%20of%20your%20company.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-556994%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20How%20to%20create%20CSR%20for%20MSIX%20Packaging%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-556994%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F146612%22%20target%3D%22_blank%22%3E%40TIMOTHY%20MANGAN%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20so%20much.%20Just%20so%20that%20its%20clear%2C%20we%20follow%20this%20and%20just%20change%20the%20CN%20to%20company%20name.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fknowledge.digicert.com%2Fsolution%2FSO29005.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fknowledge.digicert.com%2Fsolution%2FSO29005.html%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20when%20you%20say%20%22self%20signed%22%20using%20AD%20CS%20you%20mean%20cert%20created%20using%20our%20internal%20CA%20and%20not%20a%203rd%20party%20service.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%20for%20being%20such%20a%20layman!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-557111%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20How%20to%20create%20CSR%20for%20MSIX%20Packaging%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-557111%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F319227%22%20target%3D%22_blank%22%3E%40Chanderjeet%3C%2FA%3E%26nbsp%3B%20Yes.%26nbsp%3B%20Generally%20you%20can%20ignore%20the%20OU%3D%20and%20the%20like%3B%20you%20only%20need%20the%20CN%3D.%26nbsp%3B%20What%20is%20important%20is%20that%20whatever%20you%20put%20in%20that%20field%20you%20need%20to%20match%20it%20up.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-557116%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20How%20to%20create%20CSR%20for%20MSIX%20Packaging%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-557116%22%20slang%3D%22en-US%22%3EAnd%20Sir%2C%20match%20it%20up%20how%20and%20with%20what.%3CBR%20%2F%3E%3CBR%20%2F%3EExample%2C%20we%20create%20a%20CSR%20with%20%22CN%3DMonkeyMan%20Inc%22%20---%20now%20this%20CN%20will%20be%20looked%20up%20on%20the%20CA%20servers%3F%20How%20can%20we%20know%20that%20that%20the%20CN%20we%20are%20using%20is%20%22lookupable%22%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20helping!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1158800%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20How%20to%20create%20CSR%20for%20MSIX%20Packaging%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1158800%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F319227%22%20target%3D%22_blank%22%3E%40Chanderjeet%3C%2FA%3E%26nbsp%3Bthe%20packages%20you%20create%20will%20have%20a%20publisher%20name%20set%2C%20e.g.%20CN%3DContoso.%20That%20will%20need%20to%20match%20up%20with%20the%20name%20set%20when%20you%20generated%20your%20self-signed%20certificate.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello -

 

Our company is deciding to move to MSIX. We spoke to the admins and they are ready to provide code signing cert but they need the CN for raising the CSR. They say it needs to be a server name but we dont know what that might be.

 

Can someone please suggest what should be the CN when raising the CSR?

5 Replies
Your admins don't understand the difference between a server certificate and a code signing certificate. If you are creating a "self signed" code signing certificate using the Active Directory Certificate Services, the CN is something you make up, such as "CN=CompanyName" where CompanyName is the name of your company.

@TIMOTHY MANGAN 

 

Thanks so much. Just so that its clear, we follow this and just change the CN to company name. 

https://knowledge.digicert.com/solution/SO29005.html

 

And when you say "self signed" using AD CS you mean cert created using our internal CA and not a 3rd party service.

 

Sorry for being such a layman!

@Chanderjeet  Yes.  Generally you can ignore the OU= and the like; you only need the CN=.  What is important is that whatever you put in that field you need to match it up.

And Sir, match it up how and with what.

Example, we create a CSR with "CN=MonkeyMan Inc" --- now this CN will be looked up on the CA servers? How can we know that that the CN we are using is "lookupable" ?

Thanks for helping!

@Chanderjeet the packages you create will have a publisher name set, e.g. CN=Contoso. That will need to match up with the name set when you generated your self-signed certificate.