Generate Certificate for ClickOnce

StrataFrame Forum

Generate Certificate for ClickOnce

http://forum.strataframe.net/Topic21483.aspx

By Philipp Guntermann - 1/12/2009

Hi,

i am looking for a Tool to generate non-expireing certificates for clickonce deployment of our applications. All i found so far is some Microsoft command line tool, which explicitly states that the certificates it generates are only for "test" purposes.

Thanks.

By Philipp Guntermann - 1/13/2009

this is what i got from reading the msdn information on the subject:

1) I start the "Visual Studio 2008 Command Prompt" and first enter:

C:\Programme\Microsoft Visual Studio 9.0\VC#>makecert.exe -n "CN=ERV" -pe -r -ek
u 1.3.6.1.5.5.7.3.3 -e 01/01/2039 -sv ERV.pvk ERV.cer -a sha1

This will ask me for a password twice. I choose "mypassword" for both.

It will then say: "Succeded".

2) Next i'll enter:

C:\Programme\Microsoft Visual Studio 9.0\VC#>pvk2pfx.exe -pvk ERV.pvk -spc ERV.c
er -pfx ERV.pfx

This will ask me for the password again. i enter "mypassword" again.

It will then create a file called ERV.pfx

3) Within the Solution in Visual Studio i goto properties->signing-> and select "From File". I then choose the created "ERV.pfx" file.

It will ask me for the password. I enter "mypassword".

Not i get an Errormessage saying "The password is invalid" !!

I also tried the same procedure selected "No Password" at step 1 and then never entering a password. It will still ask for a password when selecting the file in VS and then say "The password is invalid".

By Trent L. Taylor - 1/13/2009

Yeah, this can be a frustrating process. It is never straight forward. The ultimate goal is to get the certificate in a pfx format then you can use the code signing tool to sign any EXE or install. This is the approach that we take. Generally you are starting with a .SPC file that you received from the certificate company as well as the PVK. To produce a PFX, you can use this pvkimprt tool:

pvkimprt.exe -PFX mycert.spc mykey.pvk

By Philipp Guntermann - 1/13/2009

you are starting with a .SPC file that you received from the certificate company as well as the PVK.

Hi Trend, thanks for the reply.

However, we dont have a spc from a certificate company. basicly i want to make my own certificate. i dont care about the warning message during install. but i want it to last very long, or better never expire during the applications lifetime.

By Greg McGuffey - 1/13/2009

Philip,

What I did for ClickOnce is to just generate the certificate using Visual Studio, then I used the tool from this site to extend the time of the certificate:

http://www.may.be/renewcert/

I made it last like 10 years...probably by then we'll be using something else anyway. I did this about a year ago, so I don't remember exactly how it works, but I got it to work eventually. If you are already installing your app via ClickOnce in production, be sure to update the current certificate, or everybody has to uninstall/reinstall.

Good luck!

Greg

By Philipp Guntermann - 1/13/2009

Hi Greg,

thanks. i will try that tool tommorow.

Can u confirm that the "Untrusted Source" Message only appears on the first install, and not anymore on updates ? Because we plan to distribute the ClickOnce-Setup.exe file through novell NAP, so that a user clicks that and it will allways be up-to-date.

If it were showing the message for the updates aswell, instead we would need to distribute 2 shortcuts (one for update, and one for regular program use).

By Greg McGuffey - 1/13/2009

Yes, you only see the untrusted message on first install. After that, when the user starts the app, a "launching application" dialog will appear that indicates that ClickOnce is verifying the app. The app will then either startup or if a new build is available and required, it will automatically start downloading, install itself and the app will start. I can't remember what happens with an optional upgrade...just don't do optional installations (maybe once in two years).

By Philipp Guntermann - 1/13/2009

Hi Greg,

i have now tried this at home. I installed VC++ Express and downloaded the Renewcert Project from the URL you linked. i then changed the code to add 50 years instead of 5 and compiled it.

It really works BigGrin Made a little test c# solution and it now has a certificate expiring on the 13.01.2059 BigGrin

Many thanks for that information !!

By Greg McGuffey - 1/13/2009

Cool! This is a must have when using ClickOnce. Your smart to figure this out early instead of suddenly getting a ton of support calls because the app won't install anymore! Pinch

By Ivan George Borges - 1/13/2009

[quote]... and it now has a certificate expiring on the 13.01.2059 BigGrin

Have you started worrying about what you are going to do after that? Hehe

By Philipp Guntermann - 1/13/2009

Ivan George Borges (01/13/2009)

[quote]... and it now has a certificate expiring on the 13.01.2059 BigGrin

Have you started worrying about what you are going to do after that? Hehe

worst case scenario:

telling someone that it wasnt my fault Smile

best case scenario:

laying on the beach, enjoying the cocktails -and the girls who get them to me w00t

By Greg McGuffey - 1/14/2009

LOL BigGrin

Glad the tool worked for you too!