Signing Windows 8 applications using an Internal PKI

So – your development cycles have been completed and now you are ready to deploy the much anticipated Windows 8 based application that you have developed to your clients. You will quickly realize that the deployment of your newly created Windows 8 application cannot happen until the appx assembly has been signed. All methods of deployment (Windows Store, PowerShell or System Center 2012 Configuration Manager) require the application to be signed using a certificate issued by a trusted source before you can deploy it.

If your application was developed with the intention of staying within the corporate landscape, then you may use a certificate issued by an internally hosted trusted CA. A lot of documentation is available about the requirements of the certificate issued, but a how-to guide was not available until now. This blog post will walk you through the steps required to install an internally developed application to production systems.

The screen captures in this blog post are performed using Windows Server 2012 Domain Controller, Windows Server 2012 Certificate Authority, Visual Studio 2012 and Windows 8 Enterprise. The procedures for Windows Server 2008 R2 vary slightly, but the same certificate requirements can been completed.

The diagram below identifies the workflow that this blog post will walk you through.

clip_image002

 

Get the Certificate

Visual Studio will validate the certificate used to sign the app in the following ways:

  • Verifies the presence of the Basic Constraints extension and its value, which must be either Subject Type=End Entity or unspecified.
  • Verifies the value of the Enhanced Key Usage property, which must contain Code Signing and may also contain Lifetime Signing. Any other EKUs are prohibited.
  • Verifies the value of the KeyUsage (KU) property, which must be either Unset or DigitalSignature.
  • Verifies the existence of a private key exists.
  • Verifies whether the certificate is active, hasn’t expired, and hasn't been revoked.

Create the Template

The built-in Windows 2008 R2 or Windows 2012 templates will not allow the creation of a certificate which meets all of these requirements. A new template must be created which allows the issuance of a properly configured certificate.

Load an MMC and add the Certificate Authority and Certificate Templates

clip_image002[6]

Select Certificate Templates > Right Click on Code Signing > Duplicate Template

clip_image004

On the Compatibility tab

· Change Certificate Authority to Windows Server 2008 R2 or Higher

· Change the Certificate Recipient to Windows 7/Server 2008 R2 or Higher

Note: These two changes allow the Basic Constraints Extension to be enabled.

clip_image006

On the Request Handling tab

· Check the box to allow private key to be exported

clip_image008

On the General tab

· Provide a useful name for this new template

clip_image010

On the Extensions tab

· Click on the Application Policies Extension and verify Code Signing

Note: For additional security, you can also add the Lifetime Signing extension to this template to ensure the signing certificate is no longer valid after expiration.

clip_image012

On the Extensions tab

· Click on Basic Constraints and click Edit and check the box to Enable this extension.

Note: If this checkbox is grayed out, make sure the certificate template is set properly on the Compatibility tab

clip_image014

On the Subject Name tab

· Select the Supply in the request radio button and Click OK on the warning

clip_image016

On the Security tab

· Add a user or group to allow them to enroll the certificate. The must have the Read and Enroll permissions.

clip_image018

In the MMC, expand Certificate Authority > {CAName} > Right Click Certificate Templates > New > Certificate Template to Issue

Select the Template Name just created > Click OK

clip_image020

Notice the APPX Code Signing Template is now listed on the CA under Certificate Templates

clip_image022

Request the Certificate

The certificate template has been created and now must be requested to generate a .cer file that will be placed in the local store on the computer the request is made from. It doesn’t matter which system makes the request because the .cer is immediately used to generate the .pfx file needed to sign the application.

Open an MMC and add the certificates snap-in and select My User account radio button.

In the MMC > Expand Certificates – Current user > Personal > Right Click on Certificates > All Tasks > Request New Certificate

Note: The computer store can be used as well, but the computer account would need permission to enroll the certificate. In this example, we only added permissions for the application developers group.

clip_image002[8]

Click Next on the Before You Begin screen

clip_image004[6]

On the Select Certificate Enrollment Policy screen

· Ensure Active Directory Enrollment Policy is selected

· Click Next

clip_image006[7]

On the Request Certificates screen

· Click on the link below the APPX Code Signing template to configure additional settings

Note: The Enroll button cannot be selected until the missing settings are configured

clip_image008[5]

On the Certificate Properties screen

· Under Subject Name the type should be Common Name

· Value must be the same as the Publisher value in the Visual Studio 2012 package.appxmanifest

· Click Add

Note: The CN= is automatically appended and is not required when typing the Publisher Name. In this example just ContosoAppDev was entered in the value textbox.

clip_image010[5]

clip_image012[5]

On the Request Certificates screen

· APPX Code Signing is selected

· Click Enroll

clip_image014[5]

On the Certificate Installation Results screen

· Check the status

· Click finish

clip_image016[5]

On the Certificates – Current User MMC

· The new certificate will be listed

clip_image018[5]

 

Export to PFX

Visual Studio requires the .pfx format to sign the application. In the previous step, we generated a .cer file which is located in the user store. We need to convert that .cer to a .pfx in preparation for signing.

On the Certificates – Current User MMC

· Right Click the New Certificate > Click All Tasks > Click Export

clip_image002[10]

On the Welcome screen

· Click Next

clip_image004[9]

On the Export Private key screen

· Click ‘Yes, export the private key’

· Click Next

clip_image006[10]

On the Export File Format screen

· Ensure Personal Information Exchange is selected

· Ensure Include all certificates in the certification path if possible is checked

· Check Export all extended properties

· Click Next

clip_image008[8]

On the Security screen

· Select the Password checkbox

· Enter a password (this will be needed during import into Visual Studio 2012)

· Click Next

clip_image010[8]

On the File to Export screen

· Provide a path and filename

· Click Next

clip_image012[8]

On the Completing the Certificate Export Wizard screen

· Click Next

clip_image014[8]

On the Certificate Export Wizard message box

· Click OK

clip_image016[8]

Sign the Application

Open Windows Explorer to the location where the pfx file was saved.

Note: The pfx file should be moved to a computer with VS 2012 installed.

clip_image001

Open Visual Studio 2012 project to be signed

· double click the package.appxmanifest

· Click Choose Certificate…

clip_image003

On the Choose Certificate screen

· Click Configure Certificate > Select from File…

clip_image005

On the Select File screen

· Navigate to and select the exported PFX file

· Click Open

clip_image007

On the Enter Password screen

· Enter Password

· Click OK

clip_image009

On the Choose Certificate screen

· Click OK

clip_image011

Package the signed APPX

We have created the .pfx file needed to sign the application in the previous steps, so now we can sign our application.

Open Visual Studio 2012 project to be packaged

 

Inside the project

· Right click the Project

· Click Rebuild

clip_image002[12]

Inside Solution Explorer

· Right click the solution to be packaged

· Click Store

· Click Create App Package

clip_image004[11]

On Create Your Package screen

· Select No

· Click Next

clip_image006[12]

On the Select and Configure Packages screen

· Specify the path for the package to be placed

· Click Create

clip_image008[10]

On the Package Creation Completed screen

· Click OK

Note: You may click on the link provided to navigate to the location the package was placed.

clip_image010[10]

Configure Group Policy

In order to deploy a Windows 8 application using Side loading, the computer receiving the package must either have a developer license (used for testing purposes only) or appropriate local/group policy settings to ensure the applications which are trusted can be installed.

Open Group Policy Management

· Right click where you want to link the new Group Policy

· Click Create a GPO in this domain and Link it here…

Note: The Windows 8 systems must be located within the location where the new GPO is being linked

clip_image002[14]

On the new GPO screen

· Name the GPO appropriately

· Click OK

clip_image004[13]

On the GPMC

· Right click the new policy

· Click Edit…

clip_image005

On the Group Policy Management Editor screen

· Expand Computer Configuration > Policies > Administrative Templates > Windows Components > App Package Deployment

· Right Click Allow all trusted apps to install > Click Edit

clip_image007[7]

On Allow trusted apps to install screen

· Select Enabled

· Click OK

clip_image009[5]

 

This post was contributed by John Taylor, a Senior Consultant with Microsoft National IT Operational Consulting – US.

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use .

Signing Windows 8 apps using an Internal PKI.docx