Self-signed cert install (recommended for v0.1.0)¶
The v0.1.0 release is signed with a self-signed certificate. To load the connector without relaxing Power BI Desktop's security setting, trust the certificate thumbprint that signed the .pqx.
Why self-signed?
A real EV/OV code-signing certificate (Sectigo, DigiCert, SSL.com) costs ~US$300–600/year. We want to validate the connector first and spend on a real cert once there's demand. See the roadmap for when we plan to revisit this.
Prerequisites¶
- Windows 10 or 11 with admin rights (trust-store import requires elevation).
- Power BI Desktop (Win32 installer build, not the Microsoft Store build).
Step 1 — Download the release assets¶
From the latest GitHub Release, grab:
OpenEHR.pqx— the signed connector.dev-cert.cer— the public certificate.install-powerbi-connector.ps1— installs the connector and trust settings.TRUSTED_CERTIFICATE_THUMBPRINT.txt— the thumbprint used by Power BI Desktop trust policy.
Step 2 — Install connector and trust settings¶
Open an elevated PowerShell prompt and run:
The script:
- Copies
OpenEHR.pqxto the actual Power BI Desktop custom connector folder under your Windows Documents path. - Imports
dev-cert.cerintoLocalMachine\RootandLocalMachine\TrustedPublisher. - Adds the certificate thumbprint to
HKLM:\Software\Policies\Microsoft\Power BI Desktop\TrustedCertificateThumbprints.
Microsoft documents this thumbprint registry value as the trust mechanism for signed third-party connectors under the Recommended security setting.
Manual install¶
If you cannot use the script:
$documents = [Environment]::GetFolderPath('MyDocuments')
$dest = Join-Path $documents 'Microsoft Power BI Desktop\Custom Connectors'
New-Item -ItemType Directory -Force -Path $dest | Out-Null
Copy-Item .\OpenEHR.pqx -Destination $dest -Force
Unblock-File (Join-Path $dest 'OpenEHR.pqx')
Import-Certificate -FilePath .\dev-cert.cer -CertStoreLocation Cert:\LocalMachine\Root
Import-Certificate -FilePath .\dev-cert.cer -CertStoreLocation Cert:\LocalMachine\TrustedPublisher
$thumbprint = (New-Object System.Security.Cryptography.X509Certificates.X509Certificate2('.\dev-cert.cer')).Thumbprint
$policyPath = 'HKLM:\Software\Policies\Microsoft\Power BI Desktop'
New-Item -Path $policyPath -Force | Out-Null
New-ItemProperty -Path $policyPath -Name TrustedCertificateThumbprints -PropertyType MultiString -Value $thumbprint -Force | Out-Null
Step 3 — Restart Power BI Desktop¶
Fully quit Power BI Desktop and relaunch. The connector should appear at Get Data → Other → openEHR (Beta).
Verifying the signature¶
$connector = Join-Path ([Environment]::GetFolderPath('MyDocuments')) 'Microsoft Power BI Desktop\Custom Connectors\OpenEHR.pqx'
Get-AuthenticodeSignature $connector
Get-ItemProperty 'HKLM:\Software\Policies\Microsoft\Power BI Desktop' -Name TrustedCertificateThumbprints
Power BI Desktop trusts the .pqx when the certificate thumbprint appears in TrustedCertificateThumbprints. Get-AuthenticodeSignature can still report a self-signed chain nuance on some machines; the Power BI trust gate is the thumbprint policy.
Troubleshooting¶
- Connector does not appear — verify the file is under
Join-Path ([Environment]::GetFolderPath('MyDocuments')) 'Microsoft Power BI Desktop\Custom Connectors', not%USERPROFILE%\Documents\Power BI Desktop\Custom Connectors. - Uncertified connector dialog appears — the thumbprint policy is missing. Re-run Step 2 from an elevated prompt.
- Gateway refresh fails with "untrusted publisher" — same cert import must be performed on the gateway host. See install-gateway-admin.md.