No Upgrade Scenario when Certificate Expires


Let's say you create a package (, sign it, and deploy it.  6 months later you create an update (, keep the package name the same and use the same cert to sign it.


Then prior to the next release of your software your certificate expires, so you go out and purchase a new one, keeping the same "Subject/Publisher". And now you want to release a new version of your package.  You can keep the package name the same, up the version string, and create version


On a system with version 1 installed, if you install version 2 it  updates version 1. If you then install version 2, it does not work as an upgrade; the app is installed side by side. 


This is not a desired outcome, and should be addressed.

6 Replies



Lineage will continue if the publisher name is the same.  I suspect that in your scenario the publisher field in the manifest might be different, causing an issue and change to identity.  I think your feedback is there a way to keep continuity with my app in these situations?  If so that is great feedback and recommend that it be added to the ideas section.


John Vintzel (@jvintzel)
Program Manager Lead, MSIX

Hi Tim,

Did John's comment resolve your issue? Please let us know if you are still facing this. :)

Sushant Bansal (@susbansal)
Product Manager, MSIX

No. The issue is that the publisher name must change in some situations.  Examples include:

  • My case where the public CAs changed their standards to what goes into the subject field of the purchased public certificate.  Which happened to me two years in a row.
  • Mergers and Aquisitions.

Subsequently, Microsoft introduced a method to support the upgrade scenario where the cert subject field changes, however this solution is often not possible.  That solution requires creating and signing a new file using the old certificate. But that must be done prior to the old certificate expiring.


As the paid for certificate is only good for a year (even if you purchase a "3-year" certificate, it is actually 3 1-year certificates), you don't want to get the new certificate until the old one is about to expire, so leaving enough time to get the new cert, discover the change, and figure out how to run that process on every app needing it before expiration is a challenge.  Especially when the cert CA has a glitch and takes a month to deliver the cert.


So, no, we don't have a workable solution other than to tell the users to uninstall/install.

This is great feedback Tim! I will get the team to investigate this.

While it is unfortunate that the public CAs changed their standards, do you think it is a frequently occurring scenario and likely to happen again?

Is it safe to say that most Developers/IT Pros using public CAs will face this issue?


Sushant Bansal (@susbansal)
Product Manager, MSIX

It occurred to me twice in the last three years. This year's renewal went without additional changes, so perhaps it has settled down and they won't change their standards in the future.

Understood - thanks for explaining!


I will create a backlog item for this, and we can pick it up if it becomes a pain point in the future.



Sushant Bansal (@susbansal)

Product Manager, MSIX