Developers creating MSIX packages with the Windows Application Project (WAP) need to provide a code-signing certificate with an additional field not required when creating packages through other means.  Specifically, it needs the BasicConstraints field in the certificate.

This field should already be there if you purchase a code signing certificate from a Certificate Authority.  But in this case, I was working on behalf of a customer, and they shouldn’t be giving me their production code-signing certificate.  Instead, I usually create a self-signed certificate with the same “subject” field as their production cert.  Then I can create the package and test using this test cert, and they only need to re-sign the package with their production cert when I’m done.

But importing the test cert into WAP AppxManifest file in Visual Studio using a test cert makes the same way as I’d always create them with another tooling wouldn’t import the cert into the project.  Specifically, the error looked like this:














Looking at the Microsoft Documentation, it mentions the need for the “BasicConstraints” field to be in the cert but simply states

"The value of the Basic Constraints extension is set to Subject Type=End Entity"

with no information on how to make that happen other than asking Visual Studio to make a test cert for you.  But then you can’t control the subject field as it only makes the subject field by slapping CN= in front of the Company Name (which won’t match any cert from a public Certificate Authority).

As I have a script to create the test cert using PowerShell New-CodeSigningCert cmdlet, you’d think you might find something in documentation or forums there.  But all I found were uses for adding BasicConstraints for purposes other than a code signing cert which did not help.  Eventually, I found Introduction to Certificate Extensions | Basic Constraints (, which provided me with the correct syntax for my purpose.

Below is a PowerShell script I use to generate an acceptable code signing certificate.  It will prompt you for the necessary information, create the cert, and export the pfx file for you with a password.  You must run it in an elevated PowerShell window.

$executingScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent

Write-Host -ForegroundColor Cyan’ Input information for your certificate below:’
$Company_Entered = Read-Host -Prompt “Enter your company name (Default=’Company’)”
$CN = Read-Host -Prompt “Enter Subject aka CN=… (Default=leave blank to create from company name)”
$Password_Entered = Read-Host -Prompt “Enter a password (Default=’3.14159′)”
if ($Company_Entered.Length -lt 3)
$Company_Entered = ‘Company’
Write-Host “Company name defaulted to ‘$($Company)”
if ($CN.Length -gt 0)
$Publisher_CN = $CN
Write-Host “Subject is $($Publisher_CN)”
if ($Password_Entered.Length -lt 3)
$Password_Entered = ‘3.14159’
Write-Host “Password defaulted to ‘$($Password_Entered)”

Write-Host -ForegroundColor Cyan’ Processing…’
$Publisher_DisplayName = “$($Company_Entered)”
$FolderToExportCert = “$($executingScriptDirectory)”
$pwd=ConvertTo-SecureString -String $Password -Force -AsPlainText
$pfxName = “$($FolderToExportCert)\$($CertName).pfx”

$cert = New-SelfSignedCertificate -Subject $Publisher_CN -FriendlyName $Publisher_DisplayName -KeyAlgorithm RSA -KeyLength 3072 -Provider “Microsoft Enhanced RSA and AES Cryptographic Provider” -KeyExportPolicy Exportable -KeyUsage DigitalSignature -Type CodeSigningCert -CertStoreLocation “Cert:\LocalMachine\my” -KeyDescription “Code Signing Cert for MSIX Packages” -NotAfter “12/31/2039 23:59:59” -HashAlgorithm ‘SHA256’ -TextExtension @(“{text}CA=false”)
$cert | Export-PfxCertificate -FilePath $pfxName -Password $pwd -Force -CryptoAlgorithmOption AES256_SHA256

Write-Host -ForegroundColor Cyan “Exported Certificate: File: $($pfxName)”
Write-Host -ForegroundColor Cyan ” MSIX Manifest uses: $($Publisher_CN)”
Write-Host -ForegroundColor Cyan ” Valid until: $($cert.NotAfter)”

Remove-Item $cert.PSPath
Write-Host -ForegroundColor Cyan “Done.”