Certificate Chain Validation Failed

How to resolve the error received while trying to sign the packages - "Certificate Chain validation failed" ?

The certificate generated by IIS server is for client and server authentication, by default.

The package publishing requires a code signing certificate and hence in case if the IIS self signed default certificate is used, it will not work.

It is required to generate a code signing certificate and can be done as below

  1. Run powershell commands:

New-SelfSignedCertificate -Subject "CN=CERTNAME, OU=PackageSigningTest" `

-FriendlyName "NuGetTestDeveloper" `

-Type CodeSigning `

-KeyUsage DigitalSignature `

-KeyLength 2048 `

-KeyAlgorithm RSA `

-HashAlgorithm SHA256 `

-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `

-CertStoreLocation "Cert:\CurrentUser\My"

  • The out of the above command will look like below:

  • It will create the certificate in the "Cert:\CurrentUser\My" location
  1. Now export the certificate from it and install it in the Personal and Trust Root Certification. Use below command to export the certificate:

$cert = Get-ChildItem -Path cert:\CurrentUser\My\{Thumbprint_Value}

Export-Certificate -Cert $cert -FilePath c:\certs\user.cer

  • Here {Thumbprint_Value} is the value received from previous powershell command and "FilePath" is a location where certificate needs to be saved.
  1. Note that as per current design of UiPath Studio, certificates of type (.pfx,.p12) are only allowed to be used as signing certificates. Use the below command to extract certificate in aforementioned format:

$mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText

Export-PfxCertificate -Cert cert:\currentuser\my\{Thumbprint_value} -FilePath c:\myexport.pfx -ChainOption EndEntityCertOnly -NoProperties -Password $mypwd

Note: In "String" parameter you need to set the "Password"

  1. Add the trusted author in the Nuget.config file by following the steps in Adding a Trusted Author
Note: In Nuget.config file use SHA 256 fingerprint instead of SHA 1 fingerprint