Create a Self-Signed Certificate for Code Signing
By Martin on Regards: Infrastructure;Self-Signed Certificate for uwp app code signing
In my case I needed the self-signed certificate for code signing a uwp app in my azure build pipeline. My uwp app is registered in the Microsoft store, and in this case Microsoft generates a package identity for the app and a unique publisher guid.
As the uwp package gets signed with a certificate, the certificate contains the publishers guid in the subject property. This way the app can be associated with the Microsoft store.
To create a self-signed certificate the PowerShell command
New-SelfSignedCertificate
can be used.
The full commands to create the certificate:
$currentdate = Get-Date
$afteryears=$currentdate.AddYears(5)
-Type Custom -Subject "CN=8F2F0FD9-...." -KeyUsage DigitalSignature
New-SelfSignedCertificate -FriendlyName "resize_codesign_cert" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}") -notafter $afteryears
$afteryears
, sets the year when the certificate expiresType
, sets the CertificateType (Custom)Subject
, should contain the publisher used by the microsoft storeCN={publisherguid}
KeyUsage
, specifies the key usages set in the key usage extension of the certificateFriendlyName
, a name to easily identify the usage of the certificateCertStoreLocation
, the location, where the certificate should be stored, in this case the windows users certificate storeTextExtension
, in short tell the certificate that we use it as code signing certificate$notafter
, sets the expiration date. If not set, the issued certificate will expire after one year
After the certificate is created it shows something like:
: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
PSParentPath
Thumbprint Subject---------- -------
... CN=8F2F0FD9-2706-45A2-AB07-... C893A4D2EE53D3
Tip: You can view the created certificate from the certificate store
with windowskey+R
enter mmc
, File
-> Add/Remove Snap-in...
choose
Certificates
. A dialog prompt where you need to select
My user account
. Navigate in the left tree view to
Certificates - Current User\Personal\Certificates
. Double
click one of the stored certificates to view its properties like
Thumbprint, Subject, Expire date and so on.
Now we want to export the created certificate by PowerShell. Notice:
A certificate with the extension .pfx
contains the private
and the public key!
To export the file we need to do the following:
$password = ConvertTo-SecureString -String <Your Password> -Force -AsPlainText
-cert "Cert:\CurrentUser\My\<Certificate Thumbprint in this case C893A4D2EE53D3...>" -FilePath <FilePath>.pfx -Password $password Export-PfxCertificate
That’s it, the next step would be to integrate the certificate into the build pipeline.
Useful links:
- https://docs.microsoft.com/en-us/windows/msix/package/create-certificate-package-signing
- http://woshub.com/how-to-create-self-signed-certificate-with-powershell/