Windows 8 Metro App deployment – Create Cert (pfx)

Creating the cert for Windows 8 Apps

The following howto was taken from the following website:

https://bytescout.com/support/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=296

Changes must be made to the makecert args, otherwise the Metro app won’t accept the pfx file!

INFO: http://msdn.microsoft.com/en-us/library/windows/desktop/aa386968(v=vs.85).aspx

.PFX file (Personal Information Exchange format) is the file containing both a public (.cer file) and a private (.pvk file) keys. You can use this file to sign your files and PDF documents (using Bytescout PDF SDK for .NET)

To generate .PFX certificate file please follow the tutorial:

1) Explore into C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin \ folder

2) type “cmd” to run command console (run as admin!)

3) type the following to generate new key and press Enter:

C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin>makecert.exe -eku 1.3.6.1.5.5.7.3.3 -ss My -cy end -n “CN=MY_DOMAIN” -r -a sha1 -sv MY_DOMAIN.pvk MY_DOMAIN.cer

createkey1

Createkey2

4) “Create Private Key Password” dialog will appear. Enter your password for the key. NOTE: Write down the password and keep it in a safe place. Click OK to close this dialog. The “MyKey.pvk” file will be generated and saved into the same folder.

5) Now “Enter Private Key Password” dialog will appear. You should type the same password you’ve entered on step (4)
This will generate “MyKey.cer” file

Create the pfx file

7) Copy files: MyKey.pvk and MyKey.cer into C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin \ folder (if not already there…)

8) Type “cmd” to run command line console (in the C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin\ folder) (run as Admin!)

9) Now merge MyKey.cer and MyKey.pvk into one single .pfx file (MyPFX.pfx file)

10) Type (in the command line): pvk2pfx.exe -pvk MyKey.pvk -spc MyKey.cer -pfx MyPFX.pfx

createkey4

11) The “Enter Private Key Password” dialog will appear. Enter your password for the private key as you’ve entered on (4)

12) “MyPFX.pfx” file will be generated in the C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin\ folder

NOTE: you can specify the password in the command line by using -po command line switch,
for example: pvk2pfx.exe -pvk MyKey.pvk -spc MyKey.cer -pfx MyPFX.pfx -po MyPasswordToSignPDF

Where “MyPasswordToSignPDF” is the password (different from the password for the .pvk on step (4). This password (MyPasswordToSignPDF) will be used as a last parameter for Document.AddSignature() method in Bytescout PDF SDK

For example:

If you have used the command line:Â pvk2pfx.exe -pvk MyKey.pvk -spc MyKey.cer -pfx MyPFX.pfx -po MyPasswordToSignPDF

Then you should use the following code in your application: Document.AddSignature(“MyPFX.pfx”, “John Doe”, “Approved”, false, “MyPasswordToSignPDF”);

Troubleshooting:

deploymentProblemInvalidCert

http://go.microsoft.com/fwlink/?LinkID=241478

Three changes:
1.The certificate lacks the Code Signing OID (1.3.6.1.5.5.7.3.3) in the Enhanced Key Usage extension. Add it using the -eku 1.3.6.1.5.5.7.3.3 argument to makecert.
2.Place the certificate into the My certificate store rather than the root certificate store by replacing -ss root with -ss My.
3.Ensure the certificate is an end entity in the Basic Constraints extension using the -cy end argument to makecert.

See MSDN Signing an app package (Windows Store apps) for more information on signing Windows Store apps and MakeCert for more information on makecert arguments.

http://stackoverflow.com/questions/12552442/create-a-temporary-certificate-manually

THE CERT MUST BE CREATED USING THE CORRECT PARAMETERS…

troubleshooting3

C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin>makecert.exe -eku 1.3.6.1.5.5.7.3.3 -ss My -cy end -n “CN=MY_DOMAIN” -r -a sha1 -sv MY_DOMAIN.pvk MY_DOMAIN.cer

More info:

http://blogs.technet.com/b/deploymentguys/archive/2013/06/14/signing-windows-8-applications-using-an-internal-pki.aspx

http://msdn.microsoft.com/en-us/library/windows/apps/br230260.aspx

2 comments

  1. Ricardo Schiller · · Reply

    This is an interesting post, and I would be thankful if more info was provided . We’re trying to use a self signed certificate p12 on a Windows store app – the certificate is required for an https communication -, but with no success. Have you any idea if this is actually possible in Windows 8 store apps? Sincerely, Ricardo

    1. Hi Ricardo, this link should help http://answers.flyppdevportal.com/categories/metro/csharpvb.aspx?ID=02b7e6e3-b693-4d6d-8b84-cdf5188215e2
      Greetings Damien

      Also the self signed certificate must be trusted on the client machine

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: