Click Once Trusted Publisher Issue

0
votes

I have published a click once application with a trusted publisher (.pfx) certificate. I'm trying this in a enteprise environment so the certificate was generated and given to my domain administrator so it's specific to my machine. So I have the installed the certificate (using the pfx file) in my trusted publisher list: enter image description here

I have also signed my click once application using the same certificate: enter image description here

When I view the ceritifcate, it all seems to look ok: enter image description here

However, finally when I try to install Click once application using the published setup files, in the prompt it still says it's untrusted: enter image description here

I would expect it to say at least the publishers name correctly in the prompt ( as per http://msdn.microsoft.com/en-us/library/ms996418.aspx) Any ideas how to resolve this?

2
wpfcertificatevstoclickoncepfx

2 Answers

0
votes

I think the issue is your self-issued cert needs to be added to target machines to the cert store container for trusted publishers.

To add a certificate to the Trusted Publishers store under a different root authority:

  1. Obtain a digital certificate from a CA.
  2. Export the certificate into the Base64 X.509 (.cer) format.
  3. From the command prompt on client computers, run the following command:
certmgr.exe -add LONWS09203.cer -c -s -r localMachine Root
certmgr.exe -add LONWS09203.cer -c -s -r localMachine TrustedPublisher

FYI, certmgr.exe lives in the Windows SDK on my workstation:

C:\>where certmgr.exe
C:\Program Files\Microsoft SDKs\Windows\v7.0A\bin\CertMgr.Exe

This answer didn't apply to my VS2010 VSTO project, but, might apply to yours:

Then, the most important step which I couldn't seem to find documented anywhere, right click your project in VS, go to the 'Publish' tab, click 'Options', then 'Manifests', then 'Use application manifest for trust information'

Sources:

0
votes

Ok, upon further investigation, it actually seems to be an actual issue with integrity of the Certificate provided by our IT team. I repeated the same process above using a temporary certificate genertaed in VS2012 and then adding that to the Trusted Root Publishers and this time the dialog did display the Publisher Name as expected. So looks like an issue with integrity of the certificate generated by the IT team.