Create a Self-Signed Certificate for Code Signing

on Regards: Infrastructure;

Self-Signed Certificate for uwp app code signing

In my case I needed the self-signed certificate for code signing a uwp app in my azure build pipeline. My uwp app is registered in the Microsoft store, and in this case Microsoft generates a package identity for the app and a unique publisher guid.

As the uwp package gets signed with a certificate, the certificate contains the publishers guid in the subject property. This way the app can be associated with the Microsoft store.

To create a self-signed certificate the PowerShell command New-SelfSignedCertificate can be used.

(Fig 1. Shows the opened Package.appxmanifest file of an UWP solution)

The full commands to create the certificate:

$currentdate = Get-Date
New-SelfSignedCertificate -Type Custom -Subject "CN=8F2F0FD9-...." -KeyUsage DigitalSignature
-FriendlyName "resize_codesign_cert" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("{text}", "{text}") -notafter $afteryears
  • $afteryears, sets the year when the certificate expires
  • Type, sets the CertificateType (Custom)
  • Subject, should contain the publisher used by the microsoft store CN={publisherguid}
  • KeyUsage, specifies the key usages set in the key usage extension of the certificate
  • FriendlyName, a name to easily identify the usage of the certificate
  • CertStoreLocation, the location, where the certificate should be stored, in this case the windows users certificate store
  • TextExtension, in short tell the certificate that we use it as code signing certificate
  • $notafter, sets the expiration date. If not set, the issued certificate will expire after one year

After the certificate is created it shows something like:

   PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject
----------                                -------
C893A4D2EE53D3...                         CN=8F2F0FD9-2706-45A2-AB07-...

Tip: You can view the created certificate from the certificate store with windowskey+R enter mmc, File -> Add/Remove Snap-in... choose Certificates. A dialog prompt where you need to select My user account. Navigate in the left tree view to Certificates - Current User\Personal\Certificates. Double click one of the stored certificates to view its properties like Thumbprint, Subject, Expire date and so on.

(Fig 2. Opened mmc with Snap-In Certificates)

Now we want to export the created certificate by PowerShell. Notice: A certificate with the extension .pfx contains the private and the public key!

To export the file we need to do the following:

$password = ConvertTo-SecureString -String <Your Password> -Force -AsPlainText 
Export-PfxCertificate -cert "Cert:\CurrentUser\My\<Certificate Thumbprint in this case C893A4D2EE53D3...>" -FilePath <FilePath>.pfx -Password $password

That’s it, the next step would be to integrate the certificate into the build pipeline.

Useful links: