My cert store had lost the link to the private key. I found a tool to reassociate my cert with the correct private key. See the discussion for details.
Lost store app cert, what are my options?
While developing a new app I lost the cert after submitting the first version.
My assessment so far:
- My cert is lost, which means my account is unusable for publishing any apps
- My app name is permanently locked in to that account
- I cannot delete the app
- I cannot transfer the app name to a new account.
Anything I missed? Do I really have give up on my reserved app name?
Microsoft Partner Center
-
Roy Li - MSFT 32,731 Reputation points • Microsoft Vendor
2021-06-16T01:56:29.293+00:00 Please associate your app with the store in the Visual Studio. Your app will get the certificate automatically because the VS will generate it after the association.
And also please make sure that your account is active. You could check the Account status in the Account Settings in Partner Center.
-
Lars Vinberg 101 Reputation points
2021-06-16T01:57:48.503+00:00 THANK YOU. Will try.
-
Roy Li - MSFT 32,731 Reputation points • Microsoft Vendor
2021-06-16T06:14:04.743+00:00 If you still have questions, please feel free to come back and ask.
-
Lars Vinberg 101 Reputation points
2021-06-16T19:29:09.847+00:00 II get this warning when building app packages:
13>C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VisualStudio\v16.0\AppxPackage\Microsoft.AppXPackage.Targets(2698,5): warning : Publisher name (CN=69D213B2-5C0E-43D7-8EFF-xxxxxxxxxxxx) does not match signing certificate subject: CN=359C00DD-805A-4C7C-AF9F-xxxxxxxxxxxx. Updating Publisher name.
When I upload my package for a new submission I get these errors in the Partner Center:
You must fix all package validation errors before submitting. collusive.app.uwp_1.0.40.0_x86_x64_arm_arm64_bundle.msixupload79.1 MB Invalid package family name: 7010Altihop.collusive_h3a3xq2gja1zy (expected: 7010Altihop.collusive_tx98r1g9e2sda) Invalid package publisher name: CN=359C00DD-805A-4C7C-AF9F-xxxxxxxxxxxx (expected: CN=69D213B2-5C0E-43D7-8EFF-xxxxxxxxxxxx)
-Lars
-
Roy Li - MSFT 32,731 Reputation points • Microsoft Vendor
2021-06-17T01:29:44.15+00:00 So you are not using VS to build your application, right? When did you get the certificate?
-
Lars Vinberg 101 Reputation points
2021-06-17T01:35:20.627+00:00 Yes I am using VS. I used another account before, changed store association to my new account two months ago, thought I got the new cert properly stored, and published the app for a test release. Now the cert is nowhere to be found, I have clearly made a mistake somewhere.
-
Roy Li - MSFT 32,731 Reputation points • Microsoft Vendor
2021-06-17T01:39:32.703+00:00 You have two developer accounts, right? And now you are using the new developer account for publishing? Is the developer account you signed in Visual Studio the same one that you signed in Partner Center when you trying to upload your package?
-
Lars Vinberg 101 Reputation points
2021-06-17T03:03:58.877+00:00 Yes but the old cert is still in the project.
-
Roy Li - MSFT 32,731 Reputation points • Microsoft Vendor
2021-06-17T03:21:06.05+00:00 Did you re-associate your app with the new app in the new developer account? What is the status of the new developer account in the Partner Center? Is it active?
-
Lars Vinberg 101 Reputation points
2021-06-17T03:36:21.543+00:00 Yes the new account is active. I used it to publish the app, on 4/12 I think. Unlisted, for a few betatesters.
There's actually three accounts here:
- lars/chrome.se: my personal account that I used to develop a WP8 app in 2014, which I migrated to xamarin last year.
- altihop/outlook.com: My MS dev account for my business name. This I created late March and migrated the app to. And lost the cert.
- altihop2/outlook.com: Yesterday I created and paid for an additional dev account to do some testing. Not planning on using it.
The old app ID is on lars/chrome.se. The name was not unique enough so I looked for a new name.
The new app ID is on altihop/outlook.comMy concern here is primarily how to keep the name. My app is not generally visible so I can create a new store entry and ask my betatesters to use that one. But I want to keep using the name.
-
Roy Li - MSFT 32,731 Reputation points • Microsoft Vendor
2021-06-17T06:20:31.787+00:00 Got it. Could you please create a new blank and try to associate it with the second account?
-
Lars Vinberg 101 Reputation points
2021-06-17T06:52:06.69+00:00 I created a new blank UWP app and associated it with a new app entry the second account. I can build it, but it fails app validation as it does not (yet) have digital signing.
Same Publisher CN=69D2... -
Roy Li - MSFT 32,731 Reputation points • Microsoft Vendor
2021-06-17T07:27:31.757+00:00 Please open the package manifest file and click the packaging tab. When click on the Choose certificate button, could you find the certificate for the second account?
-
Lars Vinberg 101 Reputation points
2021-06-17T16:04:38.12+00:00 As far as I can tell, no. I tried Select from Store and Select from file. Also searched my entire file system for .pfx files. No such luck.
My guess is that these line in the store association file for my blank app App1 point to the cert of the existing app, and it is assumed that I already have that cert. But that's just a guess.
<AccountPackageIdentityNames> <MainPackageIdentityName>7010Altihop.collusive</MainPackageIdentityName> </AccountPackageIdentityNames>
Guessing more... The cert for signing required in submission seems to be per account, not per app. Which means (using VS) it's created once when you submit your first app.
Looking at my Partner Center account settings, under Organization profile, my Windows publisher ID is CN=69D2...
So that's definitely a cert for the account that's supposed be used to sign the app. -
Roy Li - MSFT 32,731 Reputation points • Microsoft Vendor
2021-06-18T06:43:09.57+00:00 It's interesting. Based on the error message, the certificate that your app gets is CN=359C while the correct one should be CN=69D2. So could you please check the Visual Studio again to make sure there is one and only one account signed in the Visual Studio?
-
Lars Vinberg 101 Reputation points
2021-06-18T10:08:57.177+00:00 I had two accounts logged in. I logged out the first account and re-associated, re-built. Same problem.
I looked at the certs listed when I chose Pick cert from store (presumably my local cert store). There were a bunch of certs all named 359C...
I had made the assumption that those were all the same, but they have different thumb prints. None of them worked.I found cert manager in Windows, there under Trusted Root Certs I found the right CN. But they don't show up when I try to pick a cert from store in appxmanifest editor. just the 359C ones.
So my question now turns into why I cannot see the correct certificates in the cert picker in VS.
There's also an option to import from a .pfx file, but the cert manager won't let me export to .pfx. Perhaps there is a tool that can do that. -
Lars Vinberg 101 Reputation points
2021-06-18T17:10:26.453+00:00 Looking closer at those certs, for the 359C certs there is a note that I have the private key for the cert. That's missing for the 69D2 certs, which is probably why they don't show up in the pick list of certs from the store.
-
Lars Vinberg 101 Reputation points
2021-06-18T18:04:16.69+00:00 Found this tool. It has a repair function for missing private keys that attempts to find the key locally.
https://www.digicert.com/support/tools/certificate-utility-for-windows
My repair was successful, I have now uploaded a new package submission and am waiting for this test to roll out. With some luck we're all good. -
Lars Vinberg 6 Reputation points
2021-06-20T17:05:04.023+00:00 Confirmed - all good. Thanks for nudging me towards finding the problem.
Sign in to comment
1 answer
Sort by: Most helpful
-
Lars Vinberg 6 Reputation points
2021-06-21T19:17:52.207+00:00