How to renew a certificate for LUA Patching

Digital certificates used to sign installers and patches have a validity period and thus they need to be renewed periodically, usually annually. In order to be able to use the new certificate without breaking the usability of LUA patching some changes are required before the current certificate expires.

TipWindows Installer 4.5 or higher is required for this tutorial to work.

LUA patching on Windows XP or later is supported when the original MSI and subsequent patches are signed with the same digital certificate. It is not sufficient to renew the certificate with the same public key and subject (identity) because Windows Installer does not recognize that the expired and renewed certificates are the same.

Steps to add a new certificate

1. Purchase a new certificate before the expiry date of the current "about-to-expire" certificate to give sufficient time to build and test the installer and patch. It is not necessary for the renewed certificate to have the same public key as the current certificate. It is also not necessary for the subject field to be the same, meaning that identity information can be changed.

2. Use your private key and the SPC file obtained during the certificate renewal process to create a pfx file using the following command:

pvkimprt.exe -pfx <CertificateName>.SPC <PrivateKeyname>.pvk 

3. Before the current "about-to-expire" certificate expires it is needed to create an intermediate patch containing both the current and new certificate information.

Creating an intermediate patch

1. Create a new MSI project file.

2. In the Table Editor page add the MsiDigitalCertificate and MsiPatchCertificate tables. This can be done by using the "Add Table..." command from the context menu.

3. Add the following rows in the MsiDigitalCertificate table:

DigitalCertificateCertData
Cert01"about-to-expire" certificate
Cert02new certificate

When adding a new row, for the value of the CertData column use the [ ... ] button to select the certificate's binary file.

4. Add the following rows to the MsiPatchCertificate table:

PatchCertificateDigitalCertificate
PatchCert01Cert01
PatchCert02Cert02

5. Sign the package with the "about-to-expire" certificate and build it.

6. Create a patch from the newly created MSI file and sign it with the current "about-to-expire" certificate.

This patch can be used when run as a non-administrator to enable subsequent patching with MSP files that have been signed with the new certificate.

Caution! This patch must not be skipped, it must be applied in order for subsequent patches to work. The later patches do not need to include the expired certificate.

The certificate used for patching expired

In some cases the certificate used to create LUA patches has already expired. For more information please read What do I do if the certificate used in LUA patching has already expired? FAQ.

Testing and Conclusions

It is advisable to test your patch renewal process to make sure you know how to make it work before using it in a production environment. For this, you can create test certificates using the makecert.exe tool. This utility can be found in any Microsoft .NET Framework 1.0 or later. You can generate a test certificate by issuing this command:

makecert.exe -n "CN=Identity" -sv private_key.pvk certificate.cer

In order to sign using these type of certificates you will need to use the SignTool.exe tool from https://developer.microsoft.com/en-us/Windows SDK.

If everything is set correctly, under Windows Vista/7 the UAC elevation dialog should appear only during the main package installation. When installing the patches no UAC elevation dialog should appear. Under Windows XP, the installation of the main application should be done from an administrator account. If everything is set correctly, when running a patch from a least privileged user account it should install with no errors.