Manage the certificates that Visual Studio uses to sign your app

Content applies only to Windows

Visual Studio signs your app when you create the app package. You can manage the certificate that Visual Studio uses to sign your app in the following ways.

Note Note

If an error that's similar to "The certificate specified is invalid because it is expired or has another issue" appears during the signing process, use the Manifest Designer to create a test certificate that replaces the old one.

By default, all app packages that Visual Studio generates are signed with a test certificate. When you create a package, Visual Studio generates a folder that includes the signed package itself. The certificate (.cer) file that’s included in that folder contains the public key that’s used to sign the package.

The certificate creation process also adds a property to the project file:

<PackageCertificateKeyFile>
   RisingStar_TemporaryKey.pfx
</PackageCertificateKeyFile>

The value of the PackageCertificateKeyFile is the relative path or full path of the source certificate itself.

In the test certificate that Visual Studio generates, the certificate’s Subject field is set to the Publisher attribute of the Identity element of the source manifest (.appxmanifest) file.

  • If you create a local package, the default value of the Publisher attribute is your user name.

  • If you either create a package or associate your app with it, the Publisher attribute is set to the Publisher ID that’s obtained from your developer account when you sign in during package creation.

The value of the Basic Constraints extension is set to Subject Type=End Entity.

Note Note

The basic constraints extension identifies whether the subject of the certificate is a certificate authority (CA). This extension also defines the maximum depth of valid certification paths that include this certificate. The Basic Constraints property specifies whether the certified public key can verify certificate signatures.

The value of the Enhanced Key Usage (EKU) extension is set to Code Signing.

Visual Studio automatically creates a certificate when the project is created, but you can also create your own certificate or use an existing certificate to sign a package.

To create or use an alternate certificate

  1. In Solution Explorer, open the shortcut menu for the .appxmanifest file, choose Open With, and then choose App Manifest Designer.

  2. In the App Manifest Designer, choose the Packaging tab, and then choose the Choose Certificate button.

  3. In the Choose Certificate dialog box, expand the Configure Certificate list, and then choose one of the following options:

    Pick from certificate store

    Pick one of your Personal certificates from the certificate store in the operating system.

    Select from file

    Pick an existing certificate file from the file system.

    Create test certificate

    Create a certificate with a Publisher ID of your choice. You can also create a password.

Whichever option you choose, a certificate file is added to the project and the PackageCertificateThumbprint and PackageCertificateKeyFile project properties are updated accordingly.

The default certificate that Visual Studio generates expires one year after the date on which the certificate was created. Before the certificate expires, you must use the App Manifest Designer to either regenerate the certificate or, as the previous procedure describes, provide a different, valid certificate.

To renew the certificate

  1. In Solution Explorer, open the shortcut menu for the .appxmanifest file, choose Open With, and then choose App Manifest Designer.

  2. In the App Manifest Designer, choose the Packaging tab, and then choose the Choose Certificate button.

  3. In the Choose Certificate dialog box, expand the Configure Certificate list, and then choose Create test certificate.

  4. In the Create test certificate dialog box, click the OK button.

    Visual Studio regenerates the certificate with a new expiration date.

You might want to delete or export a certificate that has expired or that has been compromised, corrupted, or replaced by another certificate. For information about how to delete or export a certificate, see How to use the Certificates Console.

During packaging, Visual Studio validates the certificate by performing a number of validation checks.

In certain scenarios, you might need to more closely control which certificate is used, and, therefore, which validation checks that you want Visual Studio to run against the certificate. You can do this by setting the MSBuild property EnableSigningChecks to False.

If you set the property to False, Visual Studio performs only the only following validation checks:

  • Verifies whether a private key exists.

  • Verifies whether the value of the Enhanced Key Usage property contains Code Signing.

  • Verifies whether the certificate is active, hasn’t expired, and hasn't been revoked.

If you set the property to True (default), Visual Studio runs the following additional checks.

  • Verifies the presence of the Basic Constraints extension and its value, which must be either Subject Type=End Entity or unspecified.

  • Verifies the value of the KeyUsage (KU) property, which must be either Unset or DigitalSignature.

If any files in an installed package are modified, signing verification might prevent the app from launching. To modify a package, make the changes in the original source files, and then redeploy the modified package.

Show:
© 2014 Microsoft. All rights reserved.