get-the-solution.net - Create a Self-Signed Certificate for Code Signing

Create a Self-Signed Certificate for Code Signing

on Dec 4, 2021 Regards: Infrastructure;

Self-Signed Certificate for uwp app code signing

In my case I needed the self-signed certificate for code signing a uwp app in my azure build pipeline. My uwp app is registered in the Microsoft store, and in this case Microsoft generates a package identity for the app and a unique publisher guid.

As the uwp package gets signed with a certificate, the certificate contains the publishers guid in the subject property. This way the app can be associated with the Microsoft store.

To create a self-signed certificate the PowerShell command New-SelfSignedCertificate can be used.

(Fig 1. Shows the opened Package.appxmanifest file of an UWP solution)

The full commands to create the certificate:

$currentdate = Get-Date
$afteryears=$currentdate.AddYears(5)
New-SelfSignedCertificate -Type Custom -Subject "CN=8F2F0FD9-...." -KeyUsage DigitalSignature
-FriendlyName "resize_codesign_cert" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}") -notafter $afteryears

$afteryears, sets the year when the certificate expires
Type, sets the CertificateType (Custom)
Subject, should contain the publisher used by the microsoft store CN={publisherguid}
KeyUsage, specifies the key usages set in the key usage extension of the certificate
FriendlyName, a name to easily identify the usage of the certificate
CertStoreLocation, the location, where the certificate should be stored, in this case the windows users certificate store
TextExtension, in short tell the certificate that we use it as code signing certificate
$notafter, sets the expiration date. If not set, the issued certificate will expire after one year

After the certificate is created it shows something like:

   PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject
----------                                -------
C893A4D2EE53D3...                         CN=8F2F0FD9-2706-45A2-AB07-...

Tip: You can view the created certificate from the certificate store with windowskey+R enter mmc, File -> Add/Remove Snap-in... choose Certificates. A dialog prompt where you need to select My user account. Navigate in the left tree view to Certificates - Current User\Personal\Certificates. Double click one of the stored certificates to view its properties like Thumbprint, Subject, Expire date and so on.

(Fig 2. Opened mmc with Snap-In Certificates)

Now we want to export the created certificate by PowerShell. Notice: A certificate with the extension .pfx contains the private and the public key!

To export the file we need to do the following:

$password = ConvertTo-SecureString -String <Your Password> -Force -AsPlainText 
Export-PfxCertificate -cert "Cert:\CurrentUser\My\<Certificate Thumbprint in this case C893A4D2EE53D3...>" -FilePath <FilePath>.pfx -Password $password

That’s it, the next step would be to integrate the certificate into the build pipeline.

Useful links:

Propose a change