Our UWP application will be released outside of the Microsoft Store since it is a Line-Of-Business application. I scoured the internet for references and what I have gathered is that for users to be able to install our UWP application, it needs to be signed with a Trusted Certificate.
A trusted certificate can be obtained from any Certificate Authority(CA) by submitting a Certificate-Signing-Request(CSR) for code signing cert.
Now I haven't tried to get a certificate yet, as it involves payments. So, I want to be sure if I can get a .pfx certificate from the Certificate Authorities for signing our UWP application?
Will CA have the provision to select a Code signing certificate for UWP? and NOT an SSL certificate?
Yes, you should sign your app with a code-signing certificate that is trusted on each device to which you deploy the app.
You would typically use a certificate that is provided by your organization if you belong to one. The other recommended option is to purchase a certificate from a third-party provider whose public root certificate is already trusted by Windows.
If you do a Bing or Google search for "code signing certificate", you should find some trusted providers.
Related
We have working ADFS 2016 server with over 100 clients as claims provider trusts. Now I need to join to a local government SAML2 system, which is common solution for many goverment bodies. It is compatible with our ADFS setup except they require (without any valid reason) us to use special goverment signed certificates as a token signing (and possibly encryption) certificate. With over 100 existing customer, which do not all update from our metadata automatically, I do NOT want to change our current token signing/encryption certificates in our published metadata.
Is there some way to handle this situation in ADFS server?
Can I install this goverment token signing certificate to the ADFS server as a second certificate and make it so that it is NOT published in our metadata?
And this second certificate should be used only with some selected claim provider trusts so that ADFS server by default uses our current certificate but uses the goverment certificate for logins from selected claim provider trusts that are linked to government SAML2 system?
Or is the completely different ADFS server our only option?
Thanks.
No - IDP only use one certificate. Azure AD works exactly the same way.
Your only option is another IDP.
This doesn't have to be ADFS - just another IDP.
We want to switch our ASP.NET MVC application from Azure Cloud Service to Azure App Service (web app). The application is currently using WIF as its identity framework, and as it is running in a farm configuration, we configured a custom SessionSecurityTokenHandler which encrypts the session cookie using a certificate (thus the cookie can be decrypted by all instances of the web farm).
We could provision this certificate in the Cloud Service scenario using the csdef/cscfg files and the built-in Azure certificate store associated with the Cloud Service, but there is no such thing with Azure App Services (unless I missed something).
Is there any way to configure a certificate in the App Service? Should we fall back to another mechanism to encrypt the session cookie, such as a shared machine key? The machine key is not an ideal solution as it forces us to leave some configuration out of source control to avoid leaking the key.
Using the Azure portal (https://portal.azure.com), open the web app blade for your web app and click on the Settings button in the toolbar.
In the Settings blade, click on Custom domains and SSL. In the Custom domains and SSL blade click on the Upload Certificate button in the toolbar. This will open a blade where you can upload the certificate.
In the web app settings blade, you will need to add an app settings using the key WEBSITE_LOAD_CERTIFICATES. You can set the value to * to load all certificates or if you want to specify a specific certificate you could do that.
From there, you can use the certificate like you would in your cloud service version of the application. Some additional information on this and how to use the certificate in code is available here if you need it.
Finally, to Michael B's point in the comments, using Azure Key Vault would be another approach you could take and would provide some additional security.
Can the CordovaApp.pfx in res\native\windows be used to create a .aetx token?
Signing is handled automatically with VS2015 community + Cordova when deploying a package for release.
Sample CordovaApp.pfx https://github.com/dbiele/TypeScript-Cordova-SystemJS-Angular2-beta/tree/master/res/native/windows
Here's instructions on how to create .aetx from .pfx = link
All I get when trying to convert is: Invalid certificate or password
An .aetx token can only be created if a Enterprise Mobile Code Signing Certificate from Symantec Corp has been purchased. Without the certificate, AetGenerator.exe is unable to create an .aetx from the .pfx.
Explanation on how to use AETX and Mobile Certificates.
https://msdn.microsoft.com/en-us/magazine/dn296515.aspx
Download Root Certificates
https://knowledge.symantec.com/support/code-signing-support/index?page=content&id=SO20770&actp=search&viewlocale=en_US
Instructions on how to sign an app
https://msdn.microsoft.com/en-us/library/windows/apps/jj735576(v=vs.105).aspx
I hope this helps!
We have Web API 2 application exposed to outside vendors for various integrations. We're adding a new one with DocuSign through their Connect service and they will be signing their requests with their X509 certificate. I would rather not install the certificate on the server itself because we add new servers and deployments often based on load.
Here is my plan, and I'd like to know what the security risks are with it (assuming it will work at all).
DocuSign provides their X509 certificate for download. I want to place that *.cer file in my Web API application's ~/App_Data folder, along with any other certs from any other vendors. I will use a DelegatingHandler to grab the client certificate from the Request. I would then use the X509Chain class as described here to load all certificates from the ~/App_Data folder and to verify the request certificate.
From there I would map the certificate subject to a role and add that to the current thread to provide authentication for specific routes.
I've gathered from my research that this method would be less secure than installing DocuSign's certificate to the server's root store - is that correct? And how much less secure?
At the end of the day I'd like to (1) verify that the request is coming from who it says it's coming from, and (2) add roles based on the verified requester for authentication.
I am trying to create my own certificate for a adobe air application, I created one already based on this link: http://help.adobe.com/en_US/AIR/1.5/devappshtml/WS5b3ccc516d4fbf351e63e3d118666ade46-7f74.html
But when I install my application the publisher field is still set with unknown, which is at the end what I am trying to do, I need to set the publisher with one specific value.
Thanks a lot!
You need to buy a code-signing certificate from a company like Verisign orThawte or another Certificate Authority.
Read this blog by Christian Cantrell for more info on how to get the certificates.
The pages where you can buy the certificate from Thawte and Verisign.
I don't think Thawte allows individuals to buy the certificate, but Verisign does.
Remember, you need to buy the Adobe AIR code signing certificate