Windows Application Packaging Project - cannot select code signing certificate

%3CLINGO-SUB%20id%3D%22lingo-sub-2895981%22%20slang%3D%22en-US%22%3EWindows%20Application%20Packaging%20Project%20-%20cannot%20select%20code%20signing%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2895981%22%20slang%3D%22en-US%22%3E%3CH2%20id%3D%22toc-hId--320089104%22%20id%3D%22toc-hId--320089102%22%20id%3D%22toc-hId--320089102%22%20id%3D%22toc-hId--320089102%22%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%3EVisual%20Studio%202019%2016.11.5.%20WPF%20project%20.NET%20Framework%204.8.%20I%20can%20deploy%20via%20ClickOnce%20with%20a%20code%20signing%20certificate%20I%20purchased.%20When%20I%20add%20a%20Windows%20Application%20Packaging%20Project%20to%20my%20solution%20to%20create%20an%20MSIX%20and%20open%20the%20appxmanifest%20dialog%2C%20on%20the%20Packaging%20tab%2C%20I%20click%20%22Choose%20Certificate...%22%20and%20%22Select%20from%20store...%22.%20The%20dialog%20says%2C%20%22No%20certificate%20available%22.%20If%20I%20choose%20%22Select%20from%20file...%22%2C%20choose%20the%20.pfx%20and%20enter%20the%20password%2C%20the%20dialog%20says%2C%20%22The%20Manifest%20Desinger%20could%20not%20import%20the%20certificate.%20The%20certificate%20you%20selected%20is%20not%20valid%20for%20signing%20because%20it%20is%20either%20expired%20or%20has%20another%20issue.%20for%20more%20information%20see%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkID%3D241478%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkID%3D241478%3C%2FA%3E%3CSPAN%3E%22.%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22%22%3E%3CP%3E%3CFONT%20size%3D%223%22%3EThe%20certificate%20was%20purchased%20from%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fssl.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ESSL.com%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Especifically%20for%20code%20signing%20and%2C%20as%20stated%20above%2C%20works%20for%20ClickOnce.%20The%20article%20above%20says%20this%3A%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%20class%3D%22%22%3EValidating%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3ECertificates%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%20class%3D%22%22%3EDuring%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20packaging%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%2C%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3EVisual%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3EStudio%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20validates%20the%20specified%20certificate%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3Ein%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20the%20following%20ways%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%3A%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3E-%20%3CSPAN%20class%3D%22%22%3EVerifies%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20the%20presence%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3Eof%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20the%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3EBasic%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3EConstraints%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20extension%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3Eand%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20its%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3Evalue%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%2C%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20which%20must%20be%20either%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3ESubject%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3EType%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%3D%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3EEnd%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3EEntity%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3Eor%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20unspecified%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E.%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%20class%3D%22%22%3E-%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3EVerifies%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20the%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3Evalue%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3Eof%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20the%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3EEnhanced%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3EKey%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3EUsage%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3Eproperty%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%2C%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20which%20must%20contain%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3ECode%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3ESigning%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3Eand%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20may%20also%20contain%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3ELifetime%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3ESigning%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E.%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3EAny%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20other%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3EEKUs%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20are%20prohibited%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E.%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%20class%3D%22%22%3E-%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3EVerifies%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20the%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3Evalue%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3Eof%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20the%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3EKey%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3EUsage%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3E(%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3EKU%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E)%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3Eproperty%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%2C%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20which%20must%20be%20either%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3EUnset%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3Eor%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3EDigitalSignature%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E.%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%20class%3D%22%22%3E-%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3EVerifies%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20the%20existence%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3Eof%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20a%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3Eprivate%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20key%20exists%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E.%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%20class%3D%22%22%3E-%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3EVerifies%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20whether%20the%20certificate%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3Eis%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20active%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%2C%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20hasn%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3Et%20expired%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%2C%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22%22%3Eand%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%20hasn%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E't%20been%20revoked.%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CFONT%20size%3D%223%22%3EInspecting%20the%20certificate%20through%20the%20certmgr%20mmc%3A%3C%2FFONT%3E%3C%2FP%3E%3CDIV%20class%3D%22%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22CertMgr.png%22%20style%3D%22width%3A%20710px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F320841i49F04039AD5D140F%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22CertMgr.png%22%20alt%3D%22CertMgr.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3EI%20don't%20see%20%22Basic%20Constraints%22%20in%20the%20certificate.%20Is%20that%20the%20problem%3F%20Do%20I%20have%20to%20specifically%20request%20this%20from%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fssl.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ESSL.com%3C%2FA%3E%3F%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%223%22%3EEnhanced%20Key%20Usage%20is%20set%20to%20%22Code%20Signing%20(1.3.6.1.5.5.7.3.3)%22%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%223%22%3EKey%20Usage%20is%20set%20to%20%22Digital%20Signature%20(80)%22%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%223%22%3EI'm%20not%20sure%20how%20to%20tell%20if%20a%20private%20key%20exists.%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%223%22%3EThe%20certificate%20is%20active%20and%20not%20expired.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3EPlease%20help.%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fssl.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ESSL.com%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eswears%20we%20shouldn't%20need%20anything%20else.%20Self-signing%20is%20covered%20very%20well%20in%20documentation%2C%20but%20public%20certificates%20are%20barely%20mentioned.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3EThank%20you%2C%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%223%22%3EMike%3C%2FFONT%3E%3C%2FP%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2901153%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Application%20Packaging%20Project%20-%20cannot%20select%20code%20signing%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2901153%22%20slang%3D%22en-US%22%3EI'm%20not%20sure%20what%20is%20wrong%20in%20your%20case%2C%20but%20in%20my%20certs%20from%20both%20Digicert%20and%20Sectigo%20both%20have%20a%20field%20called%20%22Basic%20Constraints%22.%20The%20value%20in%20mine%20is%20%22Subject%20Type%3DEnd%20Entity%2C%20Path%20Length%20Constraint%3DNone%22.%3C%2FLINGO-BODY%3E
New Contributor

Visual Studio 2019 16.11.5. WPF project .NET Framework 4.8. I can deploy via ClickOnce with a code signing certificate I purchased. When I add a Windows Application Packaging Project to my solution to create an MSIX and open the appxmanifest dialog, on the Packaging tab, I click "Choose Certificate..." and "Select from store...". The dialog says, "No certificate available". If I choose "Select from file...", choose the .pfx and enter the password, the dialog says, "The Manifest Desinger could not import the certificate. The certificate you selected is not valid for signing because it is either expired or has another issue. for more information see http://go.microsoft.com/fwlink/?LinkID=241478".

 

The certificate was purchased from SSL.com specifically for code signing and, as stated above, works for ClickOnce. The article above says this:

Validating Certificates

During packaging, Visual Studio validates the specified certificate in the following ways:

- Verifies the presence of the Basic Constraints extension and its value, which must be either Subject Type=End Entity or unspecified.

- Verifies the value of the Enhanced Key Usage property, which must contain Code Signing and may also contain Lifetime Signing. Any other EKUs are prohibited.

- Verifies the value of the Key Usage (KU) property, which must be either Unset or DigitalSignature.

- Verifies the existence of a private key exists.

- Verifies whether the certificate is active, hasnt expired, and hasn't been revoked.


Inspecting the certificate through the certmgr mmc:

 

CertMgr.png

 

I don't see "Basic Constraints" in the certificate. Is that the problem? Do I have to specifically request this from SSL.com?
Enhanced Key Usage is set to "Code Signing (1.3.6.1.5.5.7.3.3)"
Key Usage is set to "Digital Signature (80)"
I'm not sure how to tell if a private key exists.
The certificate is active and not expired.

 

Please help. SSL.com swears we shouldn't need anything else. Self-signing is covered very well in documentation, but public certificates are barely mentioned.

Thank you,
Mike

2 Replies
I'm not sure what is wrong in your case, but in my certs from both Digicert and Sectigo both have a field called "Basic Constraints". The value in mine is "Subject Type=End Entity, Path Length Constraint=None".

Thanks @TIMOTHY MANGAN Is it just me or does anyone else think it's nuts that there are no specs for public signing certificates for MSIX and that the tooling give you no indication of what's wrong when it doesn't work.