Szymon Kobalczyk's Blog

A Developer's Notebook

  Home  |   Contact  |   Syndication    |   Login
  106 Posts | 6 Stories | 584 Comments | 365 Trackbacks


View Szymon Kobalczyk's profile on LinkedIn

Tag Cloud


Blogs I Read

Tools I Use

Beta 1 allowed to sign your ClickOnce manifests simply by using a string name key file (.snk). Beta 2 no longer support this, and you are required to provide a publisher certificate. This was bit confusing for me because I had never before to deal with certificates and I had to ask Google for help.

I quickly came across the article “Configuring ClickOnce Trusted Publishers“ by Brian Noyes published last month on MSDN . It explains in detail how ClickOnce uses the certificates and what needs to be done to publish your certificates to user machines so they won't be prompted each time when applications requires elevated privileges. You will also learn how to create a test certificate for yourself using Visual Studio 2005.

The test certificate that VS creates works fine but it has a short validity period (several hours) so I don't think it could be deployed on production server. As I said, I don't know much about certificates, but I was curious how to make my own private certificate for my projects.

After bit more searching I found that Framework SDK contains tool for this, called MakeCert. Here is the command line to make a certificate similar to one created by VS:

makecert -r -pe -a sha1 -n "CN=yourcompany" -b 01/01/2000 -e 01/01/2036 -eku -ss My

The -b and -e option specify the time period when certificate is valid. The -eku option specifies the certificate is intended for code signing. I've also added -a sha1 option to set the same algorithm that VS uses (but I don't think it matters).

It's important to use the -pe option which allows to export the private key from the certificate. To do this use CertMgr (another tool from Framework SDK). The new certificate will be installed in your personal store. Select it and click on the Export button. Click Next on the first page, and on the second select to export the private key. On the next one you can select some additional options; if not sure just leave on default. After that you will be asked to type password for the file; can be left blank. On the last one specify the file name and location. Finish the wizard and you should get a .pfx file that can be used in VS or imported on user machines.

To use this certificate to sign your project manifests open project properties (from Solution Explorer) and go to the Signing tab. You can either click “Select form Store...” button and select the certificate from your personal store or use the “Select form File...“ button if you exported the certificate to a file.

To learn how to publish the certificate to user machines read the Brian's article.

Now that I have my own certificate, my next goal is to automate the publishing so it can be run without using Visual Studio. The ultimate goal is to make it part of the install application (for the server part). Please let me know if you have any success with that.

posted on Monday, May 30, 2005 10:50 PM


# re: Creating Publisher Certificates For ClickOnce 7/15/2005 11:59 AM Sander Oosterwijk
Great article!

# re: Creating Publisher Certificates For ClickOnce 11/21/2005 10:18 PM AustinW
This is what I have been looking for for months. It's a wonder Microsoft can't come up with any tutorials so simple and straightforward...

# Top X ways to learn about ClickOnce 11/21/2005 4:39 PM Saurabh Pant's Weblog
Sameer Bhangar the Test Lead on ClickOnce project recently internally sent out a list of the top ways...

# re: Creating Publisher Certificates For ClickOnce 4/24/2006 3:26 PM Wonder Nuts
Outstanding! The combination of the two articles are exactly what I needed.

# re: Creating Publisher Certificates For ClickOnce 7/7/2006 5:49 PM Joe
Thanks for the Info,

Once I created the key we just used AD and set up the Key to be pushed vie GPO.

I'm still interested figuring out a way to include it the install, will mess with that when I have more time.

Here's another way to create a cert if any one is interested.


# re: Creating Publisher Certificates For ClickOnce 4/22/2008 7:28 PM Jonathan McAllister
I have figured out how to wrap clickonce via installshield for deployment to clients private networks. It takes some gymnastics do be done via MSBUILD and via installshield if anyone is interested in learning more I can help and consult.

# re: Creating Publisher Certificates For ClickOnce 4/22/2009 12:38 PM KP
I have an existing clickonce deployed apllication but have had to rebuild the build server. How to i continue deploying to the existing clickonce location using the new build machine?
Thanks in advance.


# re: Creating Publisher Certificates For ClickOnce 8/30/2009 8:01 AM yakir dorani
msbuild projfile.csproj /t:publish should do the trick. You can also automate it in no time.

# re: Creating Publisher Certificates For ClickOnce 3/31/2010 1:46 AM Dogu Tumerdem
Thank you, this short and helpful...

# re: Creating Publisher Certificates For ClickOnce 7/19/2010 5:35 AM Jaco Pretorius
Thanks man!!!! This will help a lot!!!

# re: Creating Publisher Certificates For ClickOnce 11/17/2010 2:52 PM Virgil
Quick question. Where does the cert file get generated?

# re: Creating Publisher Certificates For ClickOnce 11/26/2010 8:27 PM payday loans in georgia Atlanta
This post is really great! I have been searching for some information about the Publisher Certificates and accidentally I have noticed this headline. As I see, this site is full of more such great posts like this one so I will definitely bookmark it. Thanks a lot one more time.

# re: Creating Publisher Certificates For ClickOnce 5/18/2011 1:51 PM mehmood
when i open i dont see a movie and see a message " need a latest version of flash player

# re: Creating Publisher Certificates For ClickOnce 7/14/2011 10:34 AM Nick
This was extremely useful. Thanks.

Post A Comment