Beta 1 allowed to sign your ClickOnce manifests simply by using a string name key file (.snk). Beta 2 no longer support this, and you are required to provide a publisher certificate. This was bit confusing for me because I had never before to deal with certificates and I had to ask Google for help.
I quickly came across the article “Configuring ClickOnce Trusted Publishers“ by Brian Noyes published last month on MSDN . It explains in detail how ClickOnce uses the certificates and what needs to be done to publish your certificates to user machines so they won't be prompted each time when applications requires elevated privileges. You will also learn how to create a test certificate for yourself using Visual Studio 2005.
The test certificate that VS creates works fine but it has a short validity period (several hours) so I don't think it could be deployed on production server. As I said, I don't know much about certificates, but I was curious how to make my own private certificate for my projects.
After bit more searching I found that Framework SDK contains tool for this, called MakeCert. Here is the command line to make a certificate similar to one created by VS:
makecert -r -pe -a sha1 -n "CN=yourcompany" -b 01/01/2000 -e 01/01/2036 -eku 184.108.40.206.220.127.116.11.3 -ss My
The -b and -e option specify the time period when certificate is valid. The -eku option specifies the certificate is intended for code signing. I've also added -a sha1 option to set the same algorithm that VS uses (but I don't think it matters).
It's important to use the -pe option which allows to export the private key from the certificate. To do this use CertMgr (another tool from Framework SDK). The new certificate will be installed in your personal store. Select it and click on the Export button. Click Next on the first page, and on the second select to export the private key. On the next one you can select some additional options; if not sure just leave on default. After that you will be asked to type password for the file; can be left blank. On the last one specify the file name and location. Finish the wizard and you should get a .pfx file that can be used in VS or imported on user machines.
To use this certificate to sign your project manifests open project properties (from Solution Explorer) and go to the Signing tab. You can either click “Select form Store...” button and select the certificate from your personal store or use the “Select form File...“ button if you exported the certificate to a file.
To learn how to publish the certificate to user machines read the Brian's article.
Now that I have my own certificate, my next goal is to automate the publishing so it can be run without using Visual Studio. The ultimate goal is to make it part of the install application (for the server part). Please let me know if you have any success with that.