31

What is the process of obtaining a certificate to sign my ClickOnce assembly(ies)?

I've got a few ClickOnce applications at my company, but they are all signed with temporary certificates created by Visual Studio. Those are obviously not Trusted Root Authorities nor Trusted Publishers. I've followed along the article Configuring ClickOnce Trusted Publishers, and I like the experience when something is signed with a certificate that is both a Trusted Root Authority and Trusted Publisher (that is, no prompt, just an install).

  1. Can I use the same certificate to sign multiple ClickOnce assemblies?
  2. How much does a certificate cost?
  3. What information do I need to provide when obtaining the certificate?
  4. Does the certificate need to be aware of where the publishing location is? For example, if I currently have my ClickOnce applications available from http://apps.mycompany.com/ and I want to change this later, for example http://www.mycompany.com/apps or http://apps.mysubcompany.com, will I have to obtain another certificate?
  5. Are there recommended publishers to obtain from for ClickOnce signing (for example, someone who might already be in an Windows XP, Windows Vista, or Windows 7 Trusted Root Authority store)?
  6. How can I streamline installation to the Trusted Publisher store?
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Brian
  • 1,383
  • 3
  • 16
  • 30

2 Answers2

12

I had to work through the signed ClickOnce recently. It was not the most smooth experience, but once this has been done (and wired to the automated publishing) it started working like a marvel. Here's the actual product, if you are interested in the behavior: Forecasting Add-in for Excel.

Article on ClickOnce Manifest Signing and Strong-Name Assembly Signing was a good start.

Can I use the same certificate to sign multiple ClickOnce assemblies?

Yes.

How much does a certificate cost?

Tucows offers certificates for 75$, but the process is rather slow.

What information do I need to provide when obtaining the certificate?

They check your documents (e.g. a scan of your certificate of incorporation), check your whois record and things like this.

Does the certificate need to be aware of where the publishing location is?

This was not needed in our case.

Rinat Abdullin
  • 23,036
  • 8
  • 57
  • 80
  • How long is the expiration period? We use a locally generated certificate for in house applications, which is fine, but expires after 1 year. Is it possible to get a certificate that is good for a lot longer? – AndyD273 Oct 21 '15 at 14:22
1

I have a code signing certificate from Thawte, and it has worked very well (once I got the signing procedure figured out...)

  • It costs US$299 per year (Microsoft Authenticode (Multi-Purpose) Certificate)

  • Thawte is already a trusted root in Windows so for clients it works fine. (I had to install extra root certificates on the signing machine, though.)

You are welcome to check out our app at http://www.ludesi.com/download.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
andyhammar
  • 1,443
  • 13
  • 19
  • 4
    Don't buy a thawte certificate if you ever think you are going to deploy any Office Add-Ins with ClickOnce. They have an intermediate publisher, and don't chain back correctly with the ClickOnce software for VSTO add-ins. Just FYI. Fine for regular desktop apps. (This is a ClickOnce bug.) – RobinDotNet Jul 14 '10 at 03:37
  • 3
    @RobinDotNet do you know any publisher that does not have the problem you describe? – Cilvic Sep 01 '11 at 10:25
  • I know this is super old but I used a thawte certificate in this way starting in 2017 and had no issues. Must have been fixed long ago. – Chris May 27 '20 at 20:08