A self-signed Code Signing Certificate for MSIX WAP

Developers creating MSIX packages with the Windows Application Project (WAP) need to provide a code-signing certificate with an additional field not needed when creating packages through other means.  Specifically, it needs the BasicConstraints field in the certificate.

If you purchase a code signing certificate from a Certificate Authority, this field should already be there.  But in this case I was working on behalf of a customer and they shouldn’t be giving my their production code-signing certificate.  Instead, I usually create a self-signed certificate with the same “subject” field as their production cert.  Then I can create the package and test using this test cert and they only need to re-sign the package with their production cert when I’m done.

But importing the test cert into WAP AppxManifest file in Visual Studio using a test cert make the same way as I’d always creating them with other tooling wouldn’t import the cert into the project.  Specifically, the error looked like this:

Looking at the Microsoft Documentation it mentions the need for the “BasicConstraints” field to be in the cert, but simply states

"The value of the Basic Constraints extension is set to Subject Type=End Entity" 

with no information on how to make that happen other than asking Visual Studio to make a test cert for you.  But then you can’t control the subject field as it only makes the subject field by slapping CN= in front of the Company Name (which won’t match any cert from a public Certificate Authority). 

As I have a script to create the test cert using PowerShell New-CodeSigningCert cmdlet you’d think you might find something in documentation or forums there.  But all I found were uses for adding BasicConstraints for purposes other than a code signing cert which did not help.  Eventually I found Introduction to Certificate Extensions | Basic Constraints (encryptionconsulting.com) which provided me the correct syntax for my purpose.

Below is a PowerShell script I use to generate an acceptable code signing certificate.  It will prompt you for the necessary information, create the cert, and export the pfx file for you with a password.  It must be run in an elevated PowerShell window.

$executingScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent

Write-Host -ForegroundColor Cyan 'Input information for your certificate below:'
$Company_Entered = Read-Host -Prompt "Enter your company name (Default='Company')" 
$CN = Read-Host -Prompt "Enter Subject aka CN=... (Default=leave blank to  create from company name)"
$Password_Entered = Read-Host -Prompt "Enter a password (Default='3.14159')"
if ($Company_Entered.Length -lt 3) 
    $Company_Entered = 'Company'
    Write-Host "Company name defaulted to '$($Company)"
if ($CN.Length -gt 0)
    $Publisher_CN = $CN
Write-Host "Subject is $($Publisher_CN)"
if ($Password_Entered.Length -lt 3)
    $Password_Entered = '3.14159'
    Write-Host "Password defaulted to '$($Password_Entered)"

Write-Host -ForegroundColor Cyan 'Processing...'
$Publisher_DisplayName = "$($Company_Entered)"
$FolderToExportCert = "$($executingScriptDirectory)"
$pwd=ConvertTo-SecureString -String $Password -Force -AsPlainText
$pfxName = "$($FolderToExportCert)\$($CertName).pfx"

$cert = New-SelfSignedCertificate -Subject $Publisher_CN -FriendlyName $Publisher_DisplayName -KeyAlgorithm RSA -KeyLength 3072 -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -KeyExportPolicy Exportable -KeyUsage DigitalSignature -Type CodeSigningCert -CertStoreLocation "Cert:\LocalMachine\my" -KeyDescription "Code Signing Cert for MSIX Packages" -NotAfter "12/31/2039 23:59:59" -HashAlgorithm 'SHA256' -TextExtension @("{text}CA=false")
$cert | Export-PfxCertificate -FilePath $pfxName -Password $pwd -Force -CryptoAlgorithmOption AES256_SHA256

Write-Host -ForegroundColor Cyan "Exported Certificate: File: $($pfxName)"
Write-Host -ForegroundColor Cyan "        MSIX Manifest uses: $($Publisher_CN)"
Write-Host -ForegroundColor Cyan "               Valid until: $($cert.NotAfter)"

Remove-Item $cert.PSPath
Write-Host -ForegroundColor Cyan "Done."
Categorized as MSIX Tagged

By Tim Mangan

Tim is a Microsoft MVP, and a Citrix CTP Fellow. He is an expert in App-V and MSIX.