Create MSIX files

Introduction

The MSIX format is a Windows app package format used to create and distribute applications in Windows 10/11. These MSIX files are usually not available via a simple download, as they need to be certified and “repackaged” before being installed on Windows devices.

MSIX Packaging Tool

The creation of MSIX files requires the MSIX Packaging Tool, which can be downloaded from the Microsoft Store β†’ and installed on a Windows device.

MSIX Packaging Tool

Certificate creation

The next step is to create a certificate. This can be done comfortably via the Powershell. To do this, change the name of the certificate and/or the password if necessary.

    # Generate a new self signed certificate with the subject 'CN=Relution', the key algorithm RSA,
    # the key length 2048, the key usage DigitalSignature and the type CodeSigningCert and save it in the personal
    # in the personal certificate store of the current user
    $Newcert = New-SelfSignedCertificate -Subject 'CN=Relution' -KeyAlgorithm RSA -KeyLength 2048 -KeyUsage DigitalSignature -Type CodeSigningCert     -CertStoreLocation Cert:\CurrentUser\My

    # Get the thumbprint of the newly generated certificate
    $trumbprint = $Newcert.Thumbprint

    # Get the certificate object from memory by its thumbprint
    $cert = (Get-ChildItem -Path cert:\CurrentUser\My\$trumbprint)

    # check if the certificate was retrieved successfully
    if($cert -ne $null){
      # convert the plaintext password string to a secure string
      $Secure_String_Pwd = ConvertTo-SecureString "Passw0rd" -AsPlainText -Force

      # Export the certificate to a PKCS#12 file on the user's desktop
      Export-PfxCertificate -Cert $cert -FilePath $env:USERPROFILE\desktop\MSIXZertifikat.pfx -Password $Secure_String_Pwd

      # Remove the certificate from memory
      Remove-Item cert:\CurrentUser\My\$trumbprint
    }

The created certificate must be stored in the Trusted Root Certification Authorities category on all Windows 10/11 devices where MSIX files are to be installed. This can be done either with Relution via the policy configuration Certificates or manually, directly on the devices. The password string in the example is passw0rd. To add the certificate manually, start the certificate management Manage Computer Certificates as an administrator.

MSIX Packaging Tool

Creation of MSIX files

Start the MSIX Packaging Tool and select the option to create a new app package. Uncheck Windows Search is active in the following dialogue.

MSIX Packaging Tool

In the example, we create a MSIX file for Notepad++. First, a setup file has to be downloaded. Then a file and the certificate in the MSIX Packaging Tool have to be selected. The Signature Preference must be set to Sign with a certificate (.pfx).

MSIX Packaging Tool

The appropriate fields have to be filled in.

MSIX Packaging Tool

Now, the installer of Notepad++ starts. It should be run normally and the configurations have to be set according to the needs.

In the MSIX Packaging Tool click on Next and Yes, continue when the installation of Notepad++ is finished.

MSIX Packaging Tool

The tool will indicate that no services have been installed and detected. In the last dialog box you can specify the location of the package. Finish the creation by clicking Create.

MSIX Packaging Tool

Deploy certificate on other Windows PCs

In order to be able to install the MSIX package on other Windows PCs, the certificate must be provided on these. To do this, the certificate must be converted from a PKCS12 to a PKCS1 certificate using openSSL. To do this, openSSL must be installed on the system. This works with this command:

openssl pkcs12 -in MSIXZertifikat.pfx -clcerts -nokeys -out MSIXZertifikat.der

The PKCS1 certificate that has just been converted can then be uploaded to Relution under Settings > Certificates.

Finally, the certificate must be delivered to the devices in a policy for Windows devices. To do this, the “Certificates” configuration must be used and the certificate selected.

It is mandatory to select ‘Trusted root certificate authority’ as the certificate store.