Windows App Enterprise Code Signing: Install & Export Symantec Certificate

Introduction:

Enterprise or company distribution is the great feature introduced from Windows Phone 8 is the ability to self-publish and distribute applications within an organization. Users can install apps published by their company only after they enroll their phones for app distribution from their company, and only users that are enrolled for app distribution from the company can install the company apps.

There are some general steps that companies must follow to establish a company account, enroll devices, and distribute apps to their enrolled devices. The following sections provide an overview of this process:

• The company registers a company account on Windows Phone Dev Center and acquires an enterprise certificate from Symantec and export it to local machine.
• The company creates an application enrollment token (AET).
• The company develops a Company Hub Windows app.
• The company prepares their apps for distribution by signing with Symantec Certificate.
• The company need to deploy the signed build in MDM/Mobile Iron, (or) they can also upload it to trusted website (or) email.
• Employees (or other users) enroll for company app distribution on their phones(Using Apps@Work) and install the company apps by using the Company Hub app.

However in this article, I am going to explain you about below concepts:

1.Register with windows phone dev center account and acquiring the enterprise certificate

2. How to Install & Export Symantec Certificate 

• Installing the Root and CA certificates
• Installing Symantec Enterprise certificate
• Export (or Backup) Symantec certificate for Enterprise Code Signing

1. Register with windows phone dev center account and acquiring the enterprise certificate

In order to acquire an enterprise-signing certificate, you first need a Windows Phone Store account. Sign up for a new account at dev.windows.com/join, or access your account at dev.windowsphone.com/dashboard. Be aware of a catch here: Your account needs to be a company account, not an individual -- make sure you select the right box, as it's extremely difficult to change it at a later stage.

Once you have created this developer account you can buy an Enterprise Mobile Signing Certificate from Symantec. Currently we only support Symantec certificates to sign your corporate Windows Phone applications.

A code-signing certificate can only be purchased from Symantec. You'll need both your Symantec Publisher ID and the Primary Email Address of your Windows Phone Store account. These can be found by logging into your Windows Phone Store account and navigating to the account tab

Once you have paid Symantec they also do some validations and they will create the certificate for you and you will get confirmation email.

And Make sure you request and download the certificate from the same machine with same browser (preferred browser is Internet explorer) where you made the certificate request. And the certificate is valid for 1 year.

Click on the links in the certificate confirmation e-mail to install both the root and intermediary certificates. These need to be added to the Trusted Root Certification Authorities and Intermediate Certification Authorities stores, respectively, on the machine, not the default store, on a PC.

2. How to Install & Export Symantec Certificate 

We have to follow below three major steps to make Symantec certificate request, and export it to your local computer.

• Installing the Root and CA certificates
• Installing Symantec Enterprise certificate
• Export (or Backup) Symantec certificate for Enterprise Code Signing

Step 1. Installing the Root and CA certificates

Your Enterprise certificate is issued by a private Microsoft Root and CA, and is not inherently trusted by your computer. Please ensure that you install and trust the Root and CA certificates before installing your Enterprise certificate (newer Windows operating systems will not allow you to install your Enterprise certificate properly if the issuing chain is not already trusted).

To Install the Symantec Enterprise Mobile Root for Microsoft certificate:

1. Download the Root certificate: Symantec Enterprise Mobile Root for Microsoft.cer Save the file to your Desktop for easy retrieval (You may download to any directory but remember where it goes.)
2. If you are using Windows 7 OS click the Windows Start buttonIn the Search Programs and Files field, type mmc and click Enter (or) if it is windows 8.1 OS click (Windows Start button +R ) and type mmc . And you may need to click Yes to confirm that you wish to allow changes to your computer.
3. A Console1 - [Console Root] window will appear
   
4. Click File > Add/Remove Snap-in
   
5. From the Available snap-ins list, click Certificates Click Add > Computer account  > Next >  Finish > Ok.
   
    NOTE: You may not be prompted to select an account.  If not, just click Ok.
6. From the left pane, under Console Root in blue, expand Certificates (Local computer or current user) Expand Trusted Root Certification Authorities Right-click Certificates > All Tasks > Import A certificate import wizard will appear Click Next. 
   
7. Click Browse and browse to the location of the Symantec_Enterprise _Mobile_Root_for_Microsoft.cer which is located in your desktop.
   
   Double-click on the file (or click and Open) Click Next > Next > Finish > Ok
8. You may close the Console1 window.  Click No unless you wish to save the setup

To Install the Symantec Enterprise Mobile CA for Microsoft certificate:

1. Download the Root certificate Symantec Enterprise Mobile CA for Microsoft.cer Save the file to your Desktop for easy retrieval (You may download to any directory but remember where it goes.)
2. If you are using Windows 7 OS click the Windows Start buttonIn the Search Programs and Files field, type mmc and click Enter (or) if it is windows 8.1 OS click (Windows Start button +R ) and type mmc. And you may need to click Yes to confirm that you wish to allow changes to your computer.
3. A Console1 - [Console Root] window will appear
   
4. Click File > Add/Remove Snap-in
   
5. From the Available snap-ins list, click Certificates Click Add > Computer account  > Next >  Finish > Ok.
   
    NOTE: You may not be prompted to select an account.  If not, just click Ok.
6. From the left pane, under Console Root in blue, expand Certificates (Local computer or current user) Expand Intermediate Certification Authorities Right-click Certificates > All Tasks > Import A certificate import wizard will appear Click Next.
   
   
   
7. Click Browse and browse to the location of the Symantec_Enterprise_Mobile_CA_for_Microsoft_Cert which is located in your desktop. Double-click on the file (or click and Open) Click Next > Next > Finish > Ok
   
   
   
   Double-click on the file (or click and Open) Click Next > Next > Finish > Ok
8. You may close the Console1 window.  Click No unless you wish to save the setup

Step 2: Installing Symantec Enterprise certificate

So in previous step, you installed and trust the Root and CA certificates which are helpful for installing your Enterprise certificate.

If you are using Windows 8 / IE 10 to pick up your certificate, please put your browser into "compatibility mode".

Click on the link to retrieve the certificate and make sure it opens in the browser that made the certificate request (IE).

Click on “Continue” button to install the signing certificate into the certificate store (PC) At this point open the certificate (run certmgr.msc on a PC or open the keychain manager on a Mac) and verify that it's fully trusted. 

Step 3: Export (or Backup) Symantec certificate for Enterprise Code Signing

Once the certificate is installed, we need to Export the certificate to a .PFX file for Enterprise Code Signing.

The following solution provides steps for how to export your Windows Mobile Enterprise Code Signing certificate from Internet Explorer.

1. Open Internet Explorer and right click on top of the browser and choose Menu bar, click on Tools and then Internet Options. Click on the Content tab and then Certificates. Locate the certificate you wish to back-up and click Export.
   
2. The Certificate Export Wizard should open. Select the option, Yes, export the private key and click next.
   
   Note: If this option is not selected, a proper back-up file will not be created
3. In the Export File Format window, ensure the option for Personal Information Exchange  - PKCS#12 (.pfx) is selected Check the box, Include all certificates in the certificate path if possible. And click Next buttonNote: If you do not select the Include all certificates in the certificate path if possible option, your back-up certificate may not be recognized as the issuer of the certificate will not be included in the back-up file
4. Enter and confirm a password to protect the .pfx file and click Next. Choose a file name and location for the export file (do not include an extension in your file name; the wizard automatically adds the PFX extension).
   
5. Pay special attention to where you save the file click Next. Read the summary and verify that the information is correct. Click Finish and complete the wizard
   

Wow! Now Symantec certificate is successfully export to your desktop or mentioned browse path.

References:

• How to install the Windows® Phone Private Enterprise Root and Intermediate certificates
• Enterprise Mobile Code Signing Certificate Pickup
• How to back-up a Windows Mobile Enterprise Code Signing Certificate
• https://visualstudiomagazine.com/articles/2014/09/01/enterprise-distribution-of-windows-phone-applications.aspx
• http://channel9.msdn.com/Shows/Inside+Windows+Phone/IWP72-Deploying-Windows-Phone-apps-for-the-Enterprise
• https://msdn.microsoft.com/en-s/library/windows/apps/jj206943%28v=vs.105%29.aspx
• http://channel9.msdn.com/Events/TechEd/Europe/2014/WIN-B351

FeedBack Note:

Please share your thoughts,what you think about this post,Is this post really helpful for you?I always welcome if you drop comments on this post and it would be impressive.

Follow me always at @Subramanyam_B

Have a nice day by Subramanyam Raju :)