Certificate used for creating MSIX during enterprise deployment

%3CLINGO-SUB%20id%3D%22lingo-sub-547851%22%20slang%3D%22en-US%22%3ECertificate%20used%20for%20creating%20MSIX%20during%20enterprise%20deployment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-547851%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20using%20self%20signed%20certificates%20for%20creating%20MSIX%20package%20during%20POC%2C%20but%20self%20signed%20certificate%20can%20not%20be%20used%20for%20enterprise%20deployments.%20What%20has%20to%20be%20the%20option%20for%20signing%20the%20certificates%20in%20the%20production%20environment%20whether%20vendor%20has%20provide%20the%20certificate%20or%20client%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F73899%22%20target%3D%22_blank%22%3E%40John%20Vintzel%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F146612%22%20target%3D%22_blank%22%3E%40TIMOTHY%20MANGAN%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-549620%22%20slang%3D%22en-US%22%3ERe%3A%20Certificate%20used%20for%20creating%20MSIX%20during%20enterprise%20deployment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-549620%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F325532%22%20target%3D%22_blank%22%3E%40GauravTamkoria%3C%2FA%3E%20I%20guess%20you%20might%20need%20to%20explain%20your%20issue%20in%20more%20detail%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20do%20not%20see%20a%20problem%20with%20an%20enterprise%20repackaging%20a%20vendor%20application%20for%20MSIX%20and%20signing%20with%20a%20self-signed%20certificate.%26nbsp%3B%20I%20have%20not%20found%20a%20way%20to%20effectively%20use%20a%20timestampging%20service%20when%20using%20self-signed%20(although%20perhaps%20MS%20could%20add%20that%20to%20AD%20Certificate%20Authority%20services)%2C%20so%20I%20would%20advise%20setting%20a%20very%20long%20term%20expiration%20on%20the%20certificate.%26nbsp%3B%20But%20if%20you%20sign%20with%20that%2C%20you%20can%20use%20something%20like%20Group%20Policy%20of%20Config%20Manager%20(or%20probably%20Intune)%20to%20deploy%20the%20certificate.%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20certificate%20must%20be%20installed%20into%20the%20local%20machine%20certificate%20store%20of%20the%20computers%2FVMs%20that%20need%20the%20apps%2C%20and%20specifically%20into%20the%20root%20certificate%20store.%20Then%20you%20are%20good%20to%20go.%26nbsp%3B%20I%20would%20recommend%20using%20a%20single%20certificate%20for%20all%20of%20your%20repackaged%20apps%2C%20and%20the%20self-signed%20cert%20should%20be%20password%20protected%20for%20signing%20purposes.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOh%2C%20and%20you%20have%20to%20enable%20side-loading%20on%20the%20computers%2FVMs.%26nbsp%3B%20This%20too%20can%20be%20done%20via%20GPO%20or%20SCCM.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPublic%20CA%20code%20signing%20certs%20are%20also%20a%20possibility%2C%20but%20unless%20you%20want%20to%20distribute%20outside%20of%20your%20own%20organization%20I%20don't%20see%20the%20need%20to%20go%20that%20way.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E---%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPerhaps%20I%20misunderstand%20the%20question%20and%20you%20are%20a%20software%20vendor.%26nbsp%3B%20In%20that%20case%20if%20the%20package%20is%20going%20into%20the%20Windows%20Store%20you%20have%20to%20use%20a%20developer%20certificate%20you%20acquire%20from%20Microsoft%20via%20your%20corporate%20developer%20account%2C%20then%20use%20that%20signed%20version%20in%20your%20store%20submission%20and%20Microsoft%20does%20the%20rest.%26nbsp%3B%20If%20you%20plan%20to%20sign%20and%20deliver%20to%20customers%20outside%20of%20the%20Microsoft%20store%2C%20you%20will%20want%20to%20purchase%20a%20paid-for%20code%20signing%20certificate%20from%20a%20reputable%20CA.%20(note%3A%20Personally%20I%20don't%20think%20you%20need%20the%20EV%20level%2C%20but%20that's%20for%20you%20to%20decide).%26nbsp%3B%20The%20key%20is%20that%20your%20self-signed%20cert%20used%20for%20the%20initial%20testing%20must%20have%20the%20same%20subject%20field%20(%22CN%3Dxxx%22)%20that%20your%20public%20cert%20uses%20and%20is%20in%20the%20AppxManifest.xml%20file%20Publisher%20field.%26nbsp%3B%20Double%20signing%20this%20way%20is%20OK.%3C%2FP%3E%0A%3CP%3ETim%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi Team,

 

We are using self signed certificates for creating MSIX package during POC, but self signed certificate can not be used for enterprise deployments. What has to be the option for signing the certificates in the production environment whether vendor has provide the certificate or client?

 

@John Vintzel  @TIMOTHY MANGAN 

 

 

1 Reply
Highlighted

@GauravTamkoria I guess you might need to explain your issue in more detail?

 

I do not see a problem with an enterprise repackaging a vendor application for MSIX and signing with a self-signed certificate.  I have not found a way to effectively use a timestampging service when using self-signed (although perhaps MS could add that to AD Certificate Authority services), so I would advise setting a very long term expiration on the certificate.  But if you sign with that, you can use something like Group Policy of Config Manager (or probably Intune) to deploy the certificate.  

 

The certificate must be installed into the local machine certificate store of the computers/VMs that need the apps, and specifically into the root certificate store. Then you are good to go.  I would recommend using a single certificate for all of your repackaged apps, and the self-signed cert should be password protected for signing purposes.

 

Oh, and you have to enable side-loading on the computers/VMs.  This too can be done via GPO or SCCM.

 

Public CA code signing certs are also a possibility, but unless you want to distribute outside of your own organization I don't see the need to go that way.

 

---

 

Perhaps I misunderstand the question and you are a software vendor.  In that case if the package is going into the Windows Store you have to use a developer certificate you acquire from Microsoft via your corporate developer account, then use that signed version in your store submission and Microsoft does the rest.  If you plan to sign and deliver to customers outside of the Microsoft store, you will want to purchase a paid-for code signing certificate from a reputable CA. (note: Personally I don't think you need the EV level, but that's for you to decide).  The key is that your self-signed cert used for the initial testing must have the same subject field ("CN=xxx") that your public cert uses and is in the AppxManifest.xml file Publisher field.  Double signing this way is OK.

Tim