Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Discussion Options
- Subscribe to RSS Feed
- Mark Discussion as New
- Mark Discussion as Read
- Pin this Discussion for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jul 21 2022 03:12 PM
Green doesn't begin to describe my experience with MSIX deployments. I managed to install the MSIX Hero application and pack a directory into a .MSIX file. Now I am trying to sign the package using the UI. There is a drop-down for selecting an installed certificate but have no idea how it is populated. I can see the certificate I want in the "Trusted People" store, but am not sure how to find it in the drop down list. Is there any way to filter or search through the many items in the list? Or am I missing something?
2 Replies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jul 28 2022 06:41 AM
@dhillmanOIT MSIX Hero is a third party app and you should consult their documentation.
But in general, most products allowing you to select the code signing certificate for MSIX from the currently installed certificates are looking at the same store as would be required for the app to be installed, namely the System certificate store Trusted Root Certificates.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jul 29 2022 12:37 AM
@dhillmanOITIf you are serious, you should try testing it with your own self-signed certificate first ( using OpenSSL 3.x or another tool built into Windows. ) Later on you could use a free certificate authority ( for code / script signing, ) or a post-paid option. I edited this in a very basic way, but it should work, given I have similar scripts for generating other self-signed certs. You'd probably have to compile OpenSSL yourself, use MYSYS2 / Cygwin, or a built-in tool that comes with Windows on this list:
Methods of signing scripts -> https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_signing#methods-of-signing-scripts
Create a certificate for package signing -> https://docs.microsoft.com/en-us/windows/msix/package/create-certificate-package-signing
How to: Sign application and deployment manifests -> https://docs.microsoft.com/en-us/visualstudio/ide/how-to-sign-application-and-deployment-manifests
Personal Information Exchange (.pfx) Files -> https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files
Pvk2Pfx -> https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx
Sign the app package -> https://docs.microsoft.com/en-us/windows/msix/package/sign-app-package-using-signtool
Sign an MSIX package with Device Guard signing -> https://docs.microsoft.com/en-us/windows/msix/package/signing-package-device-guard-signing
openssl-x509 -> https://www.openssl.org/docs/man3.0/man1/openssl-x509.html
Cape_Of_Our_Penguin_Hero.txt = 4096 characters (4-bit hex, no whitespaces, no dash, etc)
Penguins_Toilet_Seat_Wheels_Always_Burn_Rubber.txt = 521 characters (4-bit hex, no whitespaces, no dash, etc)
Generate EC_secp521r1 ->
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:Hidden Duck State
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Duck Watermelon Disguise Division
Common Name (e.g. server FQDN or YOUR name) []:Double Rainbow Magpie Abacus
1.) openssl genpkey -genparam -algorithm EC -out EC_521_Param.pem -pkeyopt ec_paramgen_curve:secp521r1 -pkeyopt ec_param_enc:named_curve
2.) openssl ecparam -noout -in EC_521_Param.pem -rand Penguins_Toilet_Seat_Wheels_Always_Burn_Rubber.txt -genkey -out EC_521_Key.pem
3.) openssl req -nodes -x509 -SHA512 -days 22646 -newkey EC:EC_521_Param.pem -key EC_521_Key.pem -out EC_521_Cert.pem
4.) openssl x509 -outform der -in EC_521_Cert.pem -out EC_521_Cert.crt
Generate RSA_4096 ->
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:Barking Red Squirrel State
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Fluffback Ruffler Squirrels Anonymous
Common Name (e.g. server FQDN or YOUR name) []:Maximum Penguin Sock Gliding
1.) openssl genrsa -rand Cape_Of_Our_Penguin_Hero.txt -out RSA_4096_Key.pem -primes 3 4096
2.) openssl req -nodes -x509 -SHA512 -days 22646 -newkey RSA:4096 -key RSA_4096_Key.pem -out RSA_4096_Cert.pem
3.) openssl x509 -outform der -in RSA_4096_Cert.pem -out RSA_4096_Cert.crt
openssl-pkcs12 -> https://www.openssl.org/docs/man3.0/man1/openssl-pkcs12.html
"This command allows PKCS#12 files (sometimes referred to as PFX files) to be created and parsed. PKCS#12 files are used by several programs including Netscape, MSIE and MS Outlook."
openssl pkcs12 -export -in RSA_4096_Cert.pem -inkey RSA_4096_Key.pem -out RSA_4096_Cert.pfx
openssl pkcs12 -export -in EC_521_Cert.pem -inkey EC_521_Key.pem -out EC_521_Cert.pfxAnother big list from OpenSSL 1_1_1x, just to show you some basic options you have available. The examples I have listed above are still considered secure, but it the limitation is that it's a self-signed certificate for testing. You could look up all the ciphers in this list on the NIST website, and figure out quite quickly which ones are obsolete based on your particular use-case scenario:
# openssl enc -list
-aes-128-cbc -aes-128-cfb -aes-128-cfb1
-aes-128-cfb8 -aes-128-ctr -aes-128-ecb
-aes-128-ofb -aes-192-cbc -aes-192-cfb
-aes-192-cfb1 -aes-192-cfb8 -aes-192-ctr
-aes-192-ecb -aes-192-ofb -aes-256-cbc
-aes-256-cfb -aes-256-cfb1 -aes-256-cfb8
-aes-256-ctr -aes-256-ecb -aes-256-ofb
-aes128 -aes128-wrap -aes192
-aes192-wrap -aes256 -aes256-wrap
-aria-128-cbc -aria-128-cfb -aria-128-cfb1
-aria-128-cfb8 -aria-128-ctr -aria-128-ecb
-aria-128-ofb -aria-192-cbc -aria-192-cfb
-aria-192-cfb1 -aria-192-cfb8 -aria-192-ctr
-aria-192-ecb -aria-192-ofb -aria-256-cbc
-aria-256-cfb -aria-256-cfb1 -aria-256-cfb8
-aria-256-ctr -aria-256-ecb -aria-256-ofb
-aria128 -aria192 -aria256
-bf -bf-cbc -bf-cfb
-bf-ecb -bf-ofb -blowfish
-camellia-128-cbc -camellia-128-cfb -camellia-128-cfb1
-camellia-128-cfb8 -camellia-128-ctr -camellia-128-ecb
-camellia-128-ofb -camellia-192-cbc -camellia-192-cfb
-camellia-192-cfb1 -camellia-192-cfb8 -camellia-192-ctr
-camellia-192-ecb -camellia-192-ofb -camellia-256-cbc
-camellia-256-cfb -camellia-256-cfb1 -camellia-256-cfb8
-camellia-256-ctr -camellia-256-ecb -camellia-256-ofb
-camellia128 -camellia192 -camellia256
-cast -cast-cbc -cast5-cbc
-cast5-cfb -cast5-ecb -cast5-ofb
-chacha20 -des -des-cbc
-des-cfb -des-cfb1 -des-cfb8
-des-ecb -des-ede -des-ede-cbc
-des-ede-cfb -des-ede-ecb -des-ede-ofb
-des-ede3 -des-ede3-cbc -des-ede3-cfb
-des-ede3-cfb1 -des-ede3-cfb8 -des-ede3-ecb
-des-ede3-ofb -des-ofb -des3
-des3-wrap -desx -desx-cbc
-id-aes128-wrap -id-aes128-wrap-pad -id-aes192-wrap
-id-aes192-wrap-pad -id-aes256-wrap -id-aes256-wrap-pad
-id-smime-alg-CMS3DESwrap -rc2 -rc2-128
-rc2-40 -rc2-40-cbc -rc2-64
-rc2-64-cbc -rc2-cbc -rc2-cfb
-rc2-ecb -rc2-ofb -rc4
-rc4-40 -seed -seed-cbc
-seed-cfb -seed-ecb -seed-ofb
-sm4 -sm4-cbc -sm4-cfb
-sm4-ctr -sm4-ecb -sm4-ofb
# openssl list -1 -cipher-algorithms
AES-128-CBC
AES-128-CBC-HMAC-SHA1
AES-128-CBC-HMAC-SHA256
id-aes128-CCM
AES-128-CFB
AES-128-CFB1
AES-128-CFB8
AES-128-CTR
AES-128-ECB
id-aes128-GCM
AES-128-OCB
AES-128-OFB
AES-128-XTS
AES-192-CBC
id-aes192-CCM
AES-192-CFB
AES-192-CFB1
AES-192-CFB8
AES-192-CTR
AES-192-ECB
id-aes192-GCM
AES-192-OCB
AES-192-OFB
AES-256-CBC
AES-256-CBC-HMAC-SHA1
AES-256-CBC-HMAC-SHA256
id-aes256-CCM
AES-256-CFB
AES-256-CFB1
AES-256-CFB8
AES-256-CTR
AES-256-ECB
id-aes256-GCM
AES-256-OCB
AES-256-OFB
AES-256-XTS
aes128 => AES-128-CBC
aes128-wrap => id-aes128-wrap
aes192 => AES-192-CBC
aes192-wrap => id-aes192-wrap
aes256 => AES-256-CBC
aes256-wrap => id-aes256-wrap
ARIA-128-CBC
ARIA-128-CCM
ARIA-128-CFB
ARIA-128-CFB1
ARIA-128-CFB8
ARIA-128-CTR
ARIA-128-ECB
ARIA-128-GCM
ARIA-128-OFB
ARIA-192-CBC
ARIA-192-CCM
ARIA-192-CFB
ARIA-192-CFB1
ARIA-192-CFB8
ARIA-192-CTR
ARIA-192-ECB
ARIA-192-GCM
ARIA-192-OFB
ARIA-256-CBC
ARIA-256-CCM
ARIA-256-CFB
ARIA-256-CFB1
ARIA-256-CFB8
ARIA-256-CTR
ARIA-256-ECB
ARIA-256-GCM
ARIA-256-OFB
aria128 => ARIA-128-CBC
aria192 => ARIA-192-CBC
aria256 => ARIA-256-CBC
bf => BF-CBC
BF-CBC
BF-CFB
BF-ECB
BF-OFB
blowfish => BF-CBC
CAMELLIA-128-CBC
CAMELLIA-128-CFB
CAMELLIA-128-CFB1
CAMELLIA-128-CFB8
CAMELLIA-128-CTR
CAMELLIA-128-ECB
CAMELLIA-128-OFB
CAMELLIA-192-CBC
CAMELLIA-192-CFB
CAMELLIA-192-CFB1
CAMELLIA-192-CFB8
CAMELLIA-192-CTR
CAMELLIA-192-ECB
CAMELLIA-192-OFB
CAMELLIA-256-CBC
CAMELLIA-256-CFB
CAMELLIA-256-CFB1
CAMELLIA-256-CFB8
CAMELLIA-256-CTR
CAMELLIA-256-ECB
CAMELLIA-256-OFB
camellia128 => CAMELLIA-128-CBC
camellia192 => CAMELLIA-192-CBC
camellia256 => CAMELLIA-256-CBC
cast => CAST5-CBC
cast-cbc => CAST5-CBC
CAST5-CBC
CAST5-CFB
CAST5-ECB
CAST5-OFB
ChaCha20
ChaCha20-Poly1305
des => DES-CBC
DES-CBC
DES-CFB
DES-CFB1
DES-CFB8
DES-ECB
DES-EDE
DES-EDE-CBC
DES-EDE-CFB
des-ede-ecb => DES-EDE
DES-EDE-OFB
DES-EDE3
DES-EDE3-CBC
DES-EDE3-CFB
DES-EDE3-CFB1
DES-EDE3-CFB8
des-ede3-ecb => DES-EDE3
DES-EDE3-OFB
DES-OFB
des3 => DES-EDE3-CBC
des3-wrap => id-smime-alg-CMS3DESwrap
desx => DESX-CBC
DESX-CBC
id-aes128-CCM
id-aes128-GCM
id-aes128-wrap
id-aes128-wrap-pad
id-aes192-CCM
id-aes192-GCM
id-aes192-wrap
id-aes192-wrap-pad
id-aes256-CCM
id-aes256-GCM
id-aes256-wrap
id-aes256-wrap-pad
id-smime-alg-CMS3DESwrap
rc2 => RC2-CBC
rc2-128 => RC2-CBC
rc2-40 => RC2-40-CBC
RC2-40-CBC
rc2-64 => RC2-64-CBC
RC2-64-CBC
RC2-CBC
RC2-CFB
RC2-ECB
RC2-OFB
RC4
RC4-40
RC4-HMAC-MD5
seed => SEED-CBC
SEED-CBC
SEED-CFB
SEED-ECB
SEED-OFB
sm4 => SM4-CBC
SM4-CBC
SM4-CFB
SM4-CTR
SM4-ECB
SM4-OFB
# openssl ecparam -list_curves
secp112r1 : SECG/WTLS curve over a 112 bit prime field
secp112r2 : SECG curve over a 112 bit prime field
secp128r1 : SECG curve over a 128 bit prime field
secp128r2 : SECG curve over a 128 bit prime field
secp160k1 : SECG curve over a 160 bit prime field
secp160r1 : SECG curve over a 160 bit prime field
secp160r2 : SECG/WTLS curve over a 160 bit prime field
secp192k1 : SECG curve over a 192 bit prime field
secp224k1 : SECG curve over a 224 bit prime field
secp224r1 : NIST/SECG curve over a 224 bit prime field
secp256k1 : SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
prime192v2: X9.62 curve over a 192 bit prime field
prime192v3: X9.62 curve over a 192 bit prime field
prime239v1: X9.62 curve over a 239 bit prime field
prime239v2: X9.62 curve over a 239 bit prime field
prime239v3: X9.62 curve over a 239 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
sect113r1 : SECG curve over a 113 bit binary field
sect113r2 : SECG curve over a 113 bit binary field
sect131r1 : SECG/WTLS curve over a 131 bit binary field
sect131r2 : SECG curve over a 131 bit binary field
sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field
sect163r1 : SECG curve over a 163 bit binary field
sect163r2 : NIST/SECG curve over a 163 bit binary field
sect193r1 : SECG curve over a 193 bit binary field
sect193r2 : SECG curve over a 193 bit binary field
sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field
sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field
sect239k1 : SECG curve over a 239 bit binary field
sect283k1 : NIST/SECG curve over a 283 bit binary field
sect283r1 : NIST/SECG curve over a 283 bit binary field
sect409k1 : NIST/SECG curve over a 409 bit binary field
sect409r1 : NIST/SECG curve over a 409 bit binary field
sect571k1 : NIST/SECG curve over a 571 bit binary field
sect571r1 : NIST/SECG curve over a 571 bit binary field
c2pnb163v1: X9.62 curve over a 163 bit binary field
c2pnb163v2: X9.62 curve over a 163 bit binary field
c2pnb163v3: X9.62 curve over a 163 bit binary field
c2pnb176v1: X9.62 curve over a 176 bit binary field
c2tnb191v1: X9.62 curve over a 191 bit binary field
c2tnb191v2: X9.62 curve over a 191 bit binary field
c2tnb191v3: X9.62 curve over a 191 bit binary field
c2pnb208w1: X9.62 curve over a 208 bit binary field
c2tnb239v1: X9.62 curve over a 239 bit binary field
c2tnb239v2: X9.62 curve over a 239 bit binary field
c2tnb239v3: X9.62 curve over a 239 bit binary field
c2pnb272w1: X9.62 curve over a 272 bit binary field
c2pnb304w1: X9.62 curve over a 304 bit binary field
c2tnb359v1: X9.62 curve over a 359 bit binary field
c2pnb368w1: X9.62 curve over a 368 bit binary field
c2tnb431r1: X9.62 curve over a 431 bit binary field
wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field
wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field
wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field
wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field
wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field
wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field
wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field
wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field
wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field
wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field
wap-wsg-idm-ecid-wtls12: WTLS curve over a 224 bit prime field
Oakley-EC2N-3:
IPSec/IKE/Oakley curve #3 over a 155 bit binary field.
Not suitable for ECDSA.
Questionable extension field!
Oakley-EC2N-4:
IPSec/IKE/Oakley curve #4 over a 185 bit binary field.
Not suitable for ECDSA.
Questionable extension field!
brainpoolP160r1: RFC 5639 curve over a 160 bit prime field
brainpoolP160t1: RFC 5639 curve over a 160 bit prime field
brainpoolP192r1: RFC 5639 curve over a 192 bit prime field
brainpoolP192t1: RFC 5639 curve over a 192 bit prime field
brainpoolP224r1: RFC 5639 curve over a 224 bit prime field
brainpoolP224t1: RFC 5639 curve over a 224 bit prime field
brainpoolP256r1: RFC 5639 curve over a 256 bit prime field
brainpoolP256t1: RFC 5639 curve over a 256 bit prime field
brainpoolP320r1: RFC 5639 curve over a 320 bit prime field
brainpoolP320t1: RFC 5639 curve over a 320 bit prime field
brainpoolP384r1: RFC 5639 curve over a 384 bit prime field
brainpoolP384t1: RFC 5639 curve over a 384 bit prime field
brainpoolP512r1: RFC 5639 curve over a 512 bit prime field
brainpoolP512t1: RFC 5639 curve over a 512 bit prime field
SM2 : SM2 curve over a 256 bit prime field
# openssl list -1 -digest-algorithms
RSA-MD4 => MD4
RSA-MD5 => MD5
RSA-MDC2 => MDC2
RSA-RIPEMD160 => RIPEMD160
RSA-SHA1 => SHA1
RSA-SHA1-2 => RSA-SHA1
RSA-SHA224 => SHA224
RSA-SHA256 => SHA256
RSA-SHA3-224 => SHA3-224
RSA-SHA3-256 => SHA3-256
RSA-SHA3-384 => SHA3-384
RSA-SHA3-512 => SHA3-512
RSA-SHA384 => SHA384
RSA-SHA512 => SHA512
RSA-SHA512/224 => SHA512-224
RSA-SHA512/256 => SHA512-256
RSA-SM3 => SM3
BLAKE2b512
BLAKE2s256
id-rsassa-pkcs1-v1_5-with-sha3-224 => SHA3-224
id-rsassa-pkcs1-v1_5-with-sha3-256 => SHA3-256
id-rsassa-pkcs1-v1_5-with-sha3-384 => SHA3-384
id-rsassa-pkcs1-v1_5-with-sha3-512 => SHA3-512
MD4
md4WithRSAEncryption => MD4
MD5
MD5-SHA1
md5WithRSAEncryption => MD5
MDC2
mdc2WithRSA => MDC2
ripemd => RIPEMD160
RIPEMD160
ripemd160WithRSA => RIPEMD160
rmd160 => RIPEMD160
SHA1
sha1WithRSAEncryption => SHA1
SHA224
sha224WithRSAEncryption => SHA224
SHA256
sha256WithRSAEncryption => SHA256
SHA3-224
SHA3-256
SHA3-384
SHA3-512
SHA384
sha384WithRSAEncryption => SHA384
SHA512
SHA512-224
sha512-224WithRSAEncryption => SHA512-224
SHA512-256
sha512-256WithRSAEncryption => SHA512-256
sha512WithRSAEncryption => SHA512
SHAKE128
SHAKE256
SM3
sm3WithRSAEncryption => SM3
ssl3-md5 => MD5
ssl3-sha1 => SHA1
whirlpool
# openssl list -1 -public-key-algorithms
Name: OpenSSL RSA method
Type: Builtin Algorithm
OID: rsaEncryption
PEM string: RSA
Name: rsa
Alias for: rsaEncryption
Name: OpenSSL PKCS#3 DH method
Type: Builtin Algorithm
OID: dhKeyAgreement
PEM string: DH
Name: dsaWithSHA
Alias for: dsaEncryption
Name: dsaEncryption-old
Alias for: dsaEncryption
Name: dsaWithSHA1-old
Alias for: dsaEncryption
Name: dsaWithSHA1
Alias for: dsaEncryption
Name: OpenSSL DSA method
Type: Builtin Algorithm
OID: dsaEncryption
PEM string: DSA
Name: OpenSSL EC algorithm
Type: Builtin Algorithm
OID: id-ecPublicKey
PEM string: EC
Name: OpenSSL HMAC method
Type: Builtin Algorithm
OID: hmac
PEM string: HMAC
Name: OpenSSL CMAC method
Type: Builtin Algorithm
OID: cmac
PEM string: CMAC
Name: OpenSSL RSA-PSS method
Type: Builtin Algorithm
OID: rsassaPss
PEM string: RSA-PSS
Name: OpenSSL X9.42 DH method
Type: Builtin Algorithm
OID: X9.42 DH
PEM string: X9.42 DH
Name: OpenSSL X25519 algorithm
Type: Builtin Algorithm
OID: X25519
PEM string: X25519
Name: OpenSSL X448 algorithm
Type: Builtin Algorithm
OID: X448
PEM string: X448
Name: OpenSSL POLY1305 method
Type: Builtin Algorithm
OID: poly1305
PEM string: POLY1305
Name: OpenSSL SIPHASH method
Type: Builtin Algorithm
OID: siphash
PEM string: SIPHASH
Name: OpenSSL ED25519 algorithm
Type: Builtin Algorithm
OID: ED25519
PEM string: ED25519
Name: OpenSSL ED448 algorithm
Type: Builtin Algorithm
OID: ED448
PEM string: ED448
Name: sm2
Alias for: id-ecPublicKey
# openssl list -1 -public-key-methods
rsaEncryption
Type: External Algorithm
dhKeyAgreement
Type: Builtin Algorithm
dsaEncryption
Type: External Algorithm
id-ecPublicKey
Type: Builtin Algorithm
hmac
Type: Builtin Algorithm
cmac
Type: Builtin Algorithm
rsassaPss
Type: External Algorithm
X9.42 DH
Type: Builtin Algorithm
scrypt
Type: Builtin Algorithm
tls1-prf
Type: Builtin Algorithm
X25519
Type: Builtin Algorithm
X448
Type: Builtin Algorithm
hkdf
Type: Builtin Algorithm
poly1305
Type: Builtin Algorithm
siphash
Type: Builtin Algorithm
ED25519
Type: Builtin Algorithm
ED448
Type: Builtin Algorithm
sm2
Type: Builtin Algorithm