Signing Windows 8 apps using an Internal PKI
ContentsIntroduction.................................................................................................................................................1
Get the Certificate.......................................................................................................................................3
Create the Template................................................................................................................................3
Request the Certificate............................................................................................................................6
Export to PFX...........................................................................................................................................9
Sign the Application...................................................................................................................................11
Package the signed APPX...........................................................................................................................12
Configure Group Policy..............................................................................................................................14
IntroductionThe development cycles have been completed and now you are ready to deploy the much anticipated application you have developed to your clients. You will quickly realize that the deployment of your newly created application cannot happen until the appx assembly has been signed. All methods of deployment (Windows Store, PowerShell or Configuration Manager) require the application to be signed using a certificate issued by a trusted source before you can deploy it.
If your application was developed with the intention of staying within the corporate landscape, then you may use a certificate issued by an internally hosted trusted CA. A lot of documentation is available about the requirements of the certificate issued, but a how-to was non-existent when we were ready for deployment. This document will walk through the steps required to install an internally developed application to production systems.
Figure 1 - Workflow for Signing Apps with internal CA
The screen captures in this document are performed using Windows Server 2012 Domain Controller, Windows Server 2012 Certificate Authority, Visual Studio 2012 and Windows 8 Enterprise. The procedures for Windows Server 2008 R2 vary slightly, but the same certificate requirements can been completed.
Get the CertificateAs documented1 on MSDN, Visual Studio will validate the certificate used to sign the app in the following ways:
Verifies the presence of the Basic Constraints extension and its value, which must be either Subject Type=End Entity or unspecified.
Verifies the value of the Enhanced Key Usage property, which must contain Code Signing and may also contain Lifetime Signing. Any other EKUs are prohibited.
Verifies the value of the KeyUsage (KU) property, which must be either Unset or DigitalSignature.
Verifies the existence of a private key exists. Verifies whether the certificate is active, hasn’t expired, and hasn't been revoked.
Create the TemplateThe built-in Windows 2008 R2 or Windows 2012 templates will not allow the creation of a certificate which meets all of these requirements. A new template must be created which allows the issuance of a properly configured certificate.
Load an MMC and add the Certificate Authority and Certificate Templates
Select Certificate Templates > Right Click on Code Signing > Duplicate Template
On the Compatibility tab Change Certificate Authority
to Windows Server 2008 R2 or Higher
Change the Certificate Recipient to Windows 7/Server 2008 R2 or Higher
Note: These two changes allow the Basic Constraints Extension to be enabled.
On the Request Handling tab Check the box to allow
private key to be exported
On the General tab Provide a useful name for
this new template
On the Extensions tab Click on the Application
Policies Extension and verify Code Signing
Note: For additional security, you can also add the Lifetime Signing extension to this template to ensure the signing certificate is no longer valid after expiration.
On the Extensions tab Click on Basic Constraints
and click Edit and check the box to Enable this extension.
Note: If this checkbox is grayed out, make sure the certificate template is set properly on the Compatibility tab
On the Subject Name tab Select the Supply in the
request radio button and Click OK on the warning
On the Security tab Add a user or group to allow
them to enroll the certificate. The must have the Read and Enroll permissions.
In the MMC, expand Certificate Authority > {CAName} > Right Click Certificate Templates > New > Certificate Template to Issue
Select the Template Name just created > Click OK
Notice the APPX Code Signing Template is now listed on the CA under Certificate Templates
Request the CertificateThe certificate template has been created and now must be requested to generate a .cer file that will be placed in the local store on the computer the request is made from. It doesn’t matter which system makes the request because the .cer is immediately used to generate the .pfx file needed to sign the application.
Open an MMC and add the certificates snap-in and select My User account radio button.
In the MMC > Expand Certificates – Current user > Personal > Right Click on Certificates > All Tasks > Request New Certificate
Note: The computer store can be used as well, but the computer account would need permission to enroll the certificate. In this example, we only added permissions for the application developers group.
Click Next on the Before You Begin screen
On the Select Certificate Enrollment Policy screen
Ensure Active Directory Enrollment Policy is selected
Click Next
On the Request Certificates screen Click on the link below the APPX Code
Signing template to configure additional settings
Note: The Enroll button cannot be selected until the missing settings are configured
On the Certificate Properties screen Under Subject Name the type should
be Common Name Value must be the same as the
Publisher value in the Visual Studio 2012 package.appxmanifest
Click Add
Note: The CN= is automatically appended and is not required when typing the Publisher Name. In this example just ContosoAppDev
was entered in the value textbox.
On the Request Certificates screen APPX Code Signing is selected Click Enroll
On the Certificate Installation Results screen Check the status Click finish
On the Certificates – Current User MMC The new certificate will be listed
Export to PFXVisual Studio requires the .pfx format to sign the application. In the previous step, we generated a .cer file which is located in the user store. We need to convert that .cer to a .pfx in preparation for signing.
On the Certificates – Current User MMC Right Click the New Certificate > Click All
Tasks > Click Export
On the Welcome screen Click Next
On the Export Private key screen Click ‘Yes, export the private key’ Click Next
On the Export File Format screen Ensure Personal Information Exchange is
selected Ensure Include all certificates in the
certification path if possible is checked Check Export all extended properties Click Next
On the Security screen Select the Password checkbox Enter a password (this will be needed
during import into Visual Studio 2012) Click Next
On the File to Export screen Provide a path and filename Click Next
On the Completing the Certificate Export Wizard screen
Click Next
On the Certificate Export Wizard message box Click OK
Sign the ApplicationOpen Windows Explorer to the location where the pfx file was saved.
Note: The pfx file should be moved to a computer with VS 2012 installed.
Open Visual Studio 2012 project to be signed double click the package.appxmanifest Click Choose Certificate…
On the Choose Certificate screen Click Configure Certificate > Select from
File…
On the Select File screen Navigate to and select the exported PFX
file Click Open
On the Enter Password screen Enter Password Click OK
On the Choose Certificate screen Click OK
Package the signed APPXWe have created the .pfx file needed to sign the application in the previous step, so now we can sign our application.
Open Visual Studio 2012 project to be packagedInside the project
Right click the Project Click Rebuild
Inside Solution Explorer Right click the solution to be packaged Click Store Click Create App Package
On Create Your Package screen Select No Click Next
On the Select and Configure Packages screen Specify the path for the package to be
placed Click Create
On the Package Creation Completed screen Click OK
Note: You may click on the link provided to navigate to the location the package was placed.
Configure Group PolicyIn order to deploy a Windows 8 application using Side loading, the computer receiving the package must either have a developer license (used for testing purposes only) or appropriate local/group policy settings to ensure the applications which are trusted can be installed.
Open Group Policy Management Right click where you want to link the
new Group Policy Click Create a GPO in this domain and
Link it here…
Note: The Windows 8 systems must be located within the location where the new GPO is being linked
On the new GPO screen Name the GPO appropriately Click OK
On the GPMC Right click the new policy Click Edit…
On the Group Policy Management Editor screen Expand Computer Configuration >
Policies > Administrative Templates > Windows Components > App Package Deployment
Right Click Allow all trusted apps to install > Click Edit
On Allow trusted apps to install screen Select Enabled Click OK