Choosing a certificate for a Windows Store application via the package.appxmanifest

Question

So that an WinRT application can be internally distributed via Intune I need to attach a certificate as per http://msdn.microsoft.com/en-us/library/windows/apps/br230260(v=vs.110).aspx

I go to the package.appxmanifest screen, click choose certificate - > configure certificate - > select from file. I double click on the relevant certificate, and type the password. I then get the error message "The Manifest Designer could not import the certificate. The certificate you selected is not valid for signing because it is either expired or has another issue. For more information see http:/go.microsoft.com/fwlink/?linkId = 241478", which is the same page I linked to earlier.

Alternately, I import the certificate to my local store, the on the package.appxmanifest click choose certificate - > configure certificate - > pick from certificate store. I then get the error message "No certificate available. No certificates meet the application criteria. Click OK to continue".

How can I resolve this?

Answer 1

It turns out that it's really fussy about certificate Usages as specified in Enhanced Key Usage, as per the link I posted earlier.

During packaging, Visual Studio validates the specified certificate in the following ways:

• Verifies the presence of the Basic Constraints extension and its value, which must be either Subject Type=End Entity or unspecified.
• Verifies the value of the Enhanced Key Usage property, which must contain Code Signing and may also contain Lifetime Signing. Any other EKUs are prohibited.
• Verifies the value of the KeyUsage (KU) property, which must be either Unset or DigitalSignature.
• Verifies the existence of a private key exists.
• Verifies whether the certificate is active, hasn’t expired, and hasn't been revoked.

I had mistakenly though that by going to Certificate Properties - Certificate Purposes - Enable only the following properties and unchecking properties that were invalid for this purpose (i.e. everything but Code Signing) I could use a certificate that we already had. That doesn't work.

I resolved my problem by acquiring a certificate that did only have Code Signing as an Enhanced Key Usage.