Purpose
Overview
Test certificates can be used to sign development builds that are not going to be distributed to your users or customers. You can read how to create test certificates in SignPath in the user guide. In order to ensure your artifacts behave the same way during installation even though they are not signed by commercial CA you need to trust the certificate on the computers you use for testing. There are some options when managing test certificates:
You can either create self-signed certificate or create them using an in-house CA.
You can roll out the certificate by installing them manually or by using automated processes.
Creating certificates
You have two options to create certificates:
Self-signed certificates
Self-signed certificates can be created right from within SignPath and don’t require an additional setup of tools and infrastructure. The disadvantage is that you cannot revoke the certificate, but have to remove it from each computer if it was misused.
In-House CA
To use an in-house CA, you can create a certificate signing request (CSR) in SignPath and use your in-house CA (e.g. Microsoft Active Directory Certificate Services or OpenSSL) to issue the test certificate. The certificate can then be imported into SignPath. By using an in-house CA, you have one controlled instance for your public key infrastructure (PKI) and a straight-forward revocation process, in case the certificate has been misused.
Installing certificates
Certificates can be rolled out to your test computers manually or using an automated process. You should generally add self-signed test certificates to the Trusted Root Certification Authorities
certificate store of computers you use for testing your software. If you do this, Windows will treat your test certificates as if they were issued by a trusted Root CA.
Manual installation
On Windows, you can install certificates by following these steps:
Open the certificate in Windows Explorer
For certificate file: select Open.
For signed files: select Properties from the context menu, go to the Digital Signatures tab, open a signature (Details) and select View Certificate.
In the certificate property window, click Install Certificate…
Select Current User or Local Machine location
Select the Trusted Root Certification Authorities store
Using scripts and batch files
In PowerShell scripts, use
In batch files, use
CertUtil -addstore Root <certificate-file>
GPO auto-enrollment
Use Group Policy Objects (GPOs) to add certificates to computers. The following GPOs are available in Windows Settings
› Security Settings
› Public Key Policies
To trust a certificate, create a GPO for
Trusted Root Certification Authorities
In order to explicitly un-trust a certificate, create a GPO for
Untrusted Certificates
Trusted publishers
For some use cases, the certificate must also be registered as a Trusted Publisher in addition to basic PKI trust:
PowerShell scripts
Microsoft Office macros
ClickOnce applications
certain GPO-driven MSI installation scenarios
legacy ActiveX controls
certain device drivers
On this page