Signing your clickonce application with a certificate created by your own CA root
I have been investigating how to sign a clickonce application using a certificate signed by our own corporate w2k3 Certification Services. Easy enough you would think? True... but unfortunatly quite a lot of time passed between the idea and the signed application :-) Most of the samples and documentation assume you will be buying an AuthentiCode certificate from VeriSign or the likes.
The two pieces of the puzzle that made everything click are the following two url's (in order of appearance):
Creating a certificate for code signing
http://www.leastprivilege.com/W2K3CAAndCodeSigningCertificates.aspx
Converting the certificate to a .pfx file that can be used by Visual Studio
http://www.softinsight.com/bnoyes/PermaLink.aspx?guid=78d107d1-3937-4d8d-81d9-73cb6ae18eee
Here are the steps that I took to create a certificate that can be used for signing (based on the information found at the above two links):
Step 1: Enable the code signing template
Before requesting a certificate from your CA service, you first have to enable the code signing template by using the certtmpl.msc MMC snapin. This link describes how to do that.
Step 2: Request the certificate
Go to your certificate services website and request the certificate the way you normally would, choose the options for requesting an advanced certificate. The following screen will appear (click the image for a bigger version):
There are some things to do before you click the request button though:
- Choose Code signing under certificate template
- Select the Mark keys as exportable checkbox
- Select the Export keys to file checkbox that will appear
- Enter a path and filename in the Full path name textbox (for example c:\MyKey.pvk)
Leave all the other settings to their defaults (unless you know what you are doing, which I myself do not) and press the submit button.
Step 3: Ignore all the security warnings
Just click yes to all the browser based whining :-)
The browser will save the file with your private key (the one with the .pvk extension) to the location that you specified in step 2.
Step 4: Enter password and save certificate
In the screen that appears next, enter a password. After you click ok you will be presented with the option to download the certificate file (with a .cer extension). Save this file somewhere on your hard-drive, preferably at the same location as the one that you entered in step 2.
Step 5: Follow the steps on Brian Noyes's blog
Brian Noyes has an excellent post on his blog describing the steps that need to be taken to create a pfx file. In short the steps are:
- Download and install pvkimprt.exe
- Run pvkimprt.exe MyCert.cer MyCert.pvk
- Enter the password that you choose in step 4
- Next » Next » Finish » OK
- Run certmgr.exe from the VS Command Prompt
- Select your imported certificate and click the export button
- Next » (important) choose the yes, export the private key option
- Next » Next » enter password » enter location and filename to save pfx file to » Next
Step 6: Sign your application
That's it! You have just created a pfx file that you can use for signing your ClickOnce application. Your CA certificate needs to be trusted as a CA root by your clients and your publisher certificate (the .cer file that you created in step 2) needs to be trusted as a publisher. This can be accomplished by manually importing the certificate on the client machines or pushing the certificate out through your infrastructure tooling.
You can now take the pfx file and apply it on the signing tab of your project properties.
Remarks
Do not forget that the certificate that you created will expire in one year (unless you changed the template in certtpl.msc). There is a specific issue with ClickOnce if you re-issue a certificate with a new public/private key-pair. If you simply renew your certificate this should not be too big of an issue.
Hope this helps,
Waseem