Signing Windows 8 apps using an Internal PKI

ContentsIntroduction.................................................................................................................................................1

Get the Certificate.......................................................................................................................................3

Create the Template................................................................................................................................3

Request the Certificate............................................................................................................................6

Export to PFX...........................................................................................................................................9

Sign the Application...................................................................................................................................11

Package the signed APPX...........................................................................................................................12

Configure Group Policy..............................................................................................................................14

IntroductionThe development cycles have been completed and now you are ready to deploy the much anticipated application you have developed to your clients. You will quickly realize that the deployment of your newly created application cannot happen until the appx assembly has been signed. All methods of deployment (Windows Store, PowerShell or Configuration Manager) require the application to be signed using a certificate issued by a trusted source before you can deploy it.

If your application was developed with the intention of staying within the corporate landscape, then you may use a certificate issued by an internally hosted trusted CA. A lot of documentation is available about the requirements of the certificate issued, but a how-to was non-existent when we were ready for deployment. This document will walk through the steps required to install an internally developed application to production systems.

Figure 1 - Workflow for Signing Apps with internal CA

The screen captures in this document are performed using Windows Server 2012 Domain Controller, Windows Server 2012 Certificate Authority, Visual Studio 2012 and Windows 8 Enterprise. The procedures for Windows Server 2008 R2 vary slightly, but the same certificate requirements can been completed.

Get the CertificateAs documented1 on MSDN, Visual Studio will validate the certificate used to sign the app in the following ways:

Verifies the presence of the Basic Constraints extension and its value, which must be either Subject Type=End Entity or unspecified.

Verifies the value of the Enhanced Key Usage property, which must contain Code Signing and may also contain Lifetime Signing. Any other EKUs are prohibited.

Verifies the value of the KeyUsage (KU) property, which must be either Unset or DigitalSignature.

Verifies the existence of a private key exists. Verifies whether the certificate is active, hasn’t expired, and hasn't been revoked.

Create the TemplateThe built-in Windows 2008 R2 or Windows 2012 templates will not allow the creation of a certificate which meets all of these requirements. A new template must be created which allows the issuance of a properly configured certificate.

Load an MMC and add the Certificate Authority and Certificate Templates

Select Certificate Templates > Right Click on Code Signing > Duplicate Template

On the Compatibility tab Change Certificate Authority

to Windows Server 2008 R2 or Higher

Change the Certificate Recipient to Windows 7/Server 2008 R2 or Higher

Note: These two changes allow the Basic Constraints Extension to be enabled.

On the Request Handling tab Check the box to allow

private key to be exported

On the General tab Provide a useful name for

this new template

On the Extensions tab Click on the Application

Policies Extension and verify Code Signing

Note: For additional security, you can also add the Lifetime Signing extension to this template to ensure the signing certificate is no longer valid after expiration.

On the Extensions tab Click on Basic Constraints

and click Edit and check the box to Enable this extension.

Note: If this checkbox is grayed out, make sure the certificate template is set properly on the Compatibility tab

On the Subject Name tab Select the Supply in the

request radio button and Click OK on the warning

On the Security tab Add a user or group to allow

them to enroll the certificate. The must have the Read and Enroll permissions.

In the MMC, expand Certificate Authority > {CAName} > Right Click Certificate Templates > New > Certificate Template to Issue

Select the Template Name just created > Click OK

Notice the APPX Code Signing Template is now listed on the CA under Certificate Templates

Request the CertificateThe certificate template has been created and now must be requested to generate a .cer file that will be placed in the local store on the computer the request is made from. It doesn’t matter which system makes the request because the .cer is immediately used to generate the .pfx file needed to sign the application.

Open an MMC and add the certificates snap-in and select My User account radio button.

In the MMC > Expand Certificates – Current user > Personal > Right Click on Certificates > All Tasks > Request New Certificate

Note: The computer store can be used as well, but the computer account would need permission to enroll the certificate. In this example, we only added permissions for the application developers group.

Click Next on the Before You Begin screen

On the Select Certificate Enrollment Policy screen

Ensure Active Directory Enrollment Policy is selected

Click Next

On the Request Certificates screen Click on the link below the APPX Code

Signing template to configure additional settings

Note: The Enroll button cannot be selected until the missing settings are configured

On the Certificate Properties screen Under Subject Name the type should

be Common Name Value must be the same as the

Publisher value in the Visual Studio 2012 package.appxmanifest

Click Add

Note: The CN= is automatically appended and is not required when typing the Publisher Name. In this example just ContosoAppDev

was entered in the value textbox.

On the Request Certificates screen APPX Code Signing is selected Click Enroll

On the Certificate Installation Results screen Check the status Click finish

On the Certificates – Current User MMC The new certificate will be listed

Export to PFXVisual Studio requires the .pfx format to sign the application. In the previous step, we generated a .cer file which is located in the user store. We need to convert that .cer to a .pfx in preparation for signing.

On the Certificates – Current User MMC Right Click the New Certificate > Click All

Tasks > Click Export

On the Welcome screen Click Next

On the Export Private key screen Click ‘Yes, export the private key’ Click Next

On the Export File Format screen Ensure Personal Information Exchange is

selected Ensure Include all certificates in the

certification path if possible is checked Check Export all extended properties Click Next

On the Security screen Select the Password checkbox Enter a password (this will be needed

during import into Visual Studio 2012) Click Next

On the File to Export screen Provide a path and filename Click Next

On the Completing the Certificate Export Wizard screen

Click Next

On the Certificate Export Wizard message box Click OK

Sign the ApplicationOpen Windows Explorer to the location where the pfx file was saved.

Note: The pfx file should be moved to a computer with VS 2012 installed.

Open Visual Studio 2012 project to be signed double click the package.appxmanifest Click Choose Certificate…

On the Choose Certificate screen Click Configure Certificate > Select from

File…

On the Select File screen Navigate to and select the exported PFX

file Click Open

On the Enter Password screen Enter Password Click OK

On the Choose Certificate screen Click OK

Package the signed APPXWe have created the .pfx file needed to sign the application in the previous step, so now we can sign our application.

Open Visual Studio 2012 project to be packagedInside the project

Right click the Project Click Rebuild

Inside Solution Explorer Right click the solution to be packaged Click Store Click Create App Package

On Create Your Package screen Select No Click Next

On the Select and Configure Packages screen Specify the path for the package to be

placed Click Create

On the Package Creation Completed screen Click OK

Note: You may click on the link provided to navigate to the location the package was placed.

Configure Group PolicyIn order to deploy a Windows 8 application using Side loading, the computer receiving the package must either have a developer license (used for testing purposes only) or appropriate local/group policy settings to ensure the applications which are trusted can be installed.

Open Group Policy Management Right click where you want to link the

new Group Policy Click Create a GPO in this domain and

Link it here…

Note: The Windows 8 systems must be located within the location where the new GPO is being linked

On the new GPO screen Name the GPO appropriately Click OK

On the GPMC Right click the new policy Click Edit…

On the Group Policy Management Editor screen Expand Computer Configuration >

Policies > Administrative Templates > Windows Components > App Package Deployment

Right Click Allow all trusted apps to install > Click Edit

On Allow trusted apps to install screen Select Enabled Click OK