We developed a ClickOnce application meant to be hosted by our clients. There are certain settings the client must update once they have the ClickOnce package deployed to their servers. The problem is how do allow the clients make updates to the necessary files and update and resign the ClickOnce manifests without us having to give away our certificate?

Hi,

I know there is a tool call Certificate Creation Tool (Makecert.exe) which can specify the end of the validity period. One of the community member follow up the thread I have replied so I get that information. Thanks to his contribution.
http://msdn.microsoft.com/en-us/library/bfsktky3(VS.80).aspx

That thread: http://social.msdn.microsoft.com/Forums/en-US/winformssetup/thread/a7d8d460-2e4b-4b5b-8472-f6c0a3bf0710/

The extended options: -e mm/dd/yyyy can let you specifies the end of the validity period. Defaults to 12/31/2039 11:59:59 GMT.

Does that meet your needs?

Sincerely,
Kira Qian

---

Please mark the replies as answers if they help and unmark if they don't.

I think if they create their own certificate, it *would* say their company name under Publisher when they install the clickonce application. Same if they buy their own certificate.

If you use a test certificate (that is valid for however long), it would say "unknown publisher" when they install the application.

The other choice is for YOU to create a test certificate and somehow talk THEM into installing it in the certificate store on each user's machine. Then it wouldn't say unknown publisher, it would say you, because their machine recognizes the certificate used to sign the deployment.

As for making your own test certificate,check this out:

http://robindotnet.wordpress.com/2009/03/30/clickonce-and-expiring-certificates/

This blog article has a link to a zip file that has an article about expiring certificates, and it explains exactly how to create a test certificate lasting as long as you want it to.

The other question, about "high security", is that they should still be able to install the ClickOnce application. They get installed under the user's profile, and don't require access to "C:\Program Files" or any places like that that cause so many problems on Vista.

Hope this helps!

RobinDotNet

---

Click here to visit my ClickOnce blog!

Dang, that's a good question. Did you buy your certificate from Verisign or Thawte, i.e. it's not a test certificate?

You could argue that your clients should buy their own certificate and use it to sign it. Also, there is a way for the network guys to create a certificate for the server and use that (post back if you want more info and I'll look it up and explain it better).

Or you can reate a "test certificate" and provide it, and it will say "unknown publisher" when they install it, but they will know it's okay since they are the ones publishing it.

RobinDotNet

---

Click here to visit my ClickOnce blog!

Thanks for the information RobinDotNet. Having the clients buy their own certificate was one of my thoughts too. The idea of having their network guys create a local certificate is a good idea, but when the client's user's download our product it'll have their company's name as the publisher right? Now if I use the "test certificate", will clients with "high security" turned on in their browser settings still be able to download the application? I recently read that there's a way to make the "test certificates" expire in 5 years instead of 1 year. So maybe this is the best way.

Hi,

I know there is a tool call Certificate Creation Tool (Makecert.exe) which can specify the end of the validity period. One of the community member follow up the thread I have replied so I get that information. Thanks to his contribution.
http://msdn.microsoft.com/en-us/library/bfsktky3(VS.80).aspx

That thread: http://social.msdn.microsoft.com/Forums/en-US/winformssetup/thread/a7d8d460-2e4b-4b5b-8472-f6c0a3bf0710/

The extended options: -e mm/dd/yyyy can let you specifies the end of the validity period. Defaults to 12/31/2039 11:59:59 GMT.

Does that meet your needs?

Sincerely,
Kira Qian

---

Please mark the replies as answers if they help and unmark if they don't.

Yes that is the tool. Thanks so much for posting it Kira. I'm going to try it out and see if we can make use of the test certificate instead of the purchased ones.

I think if they create their own certificate, it *would* say their company name under Publisher when they install the clickonce application. Same if they buy their own certificate.

If you use a test certificate (that is valid for however long), it would say "unknown publisher" when they install the application.

The other choice is for YOU to create a test certificate and somehow talk THEM into installing it in the certificate store on each user's machine. Then it wouldn't say unknown publisher, it would say you, because their machine recognizes the certificate used to sign the deployment.

As for making your own test certificate,check this out:

http://robindotnet.wordpress.com/2009/03/30/clickonce-and-expiring-certificates/

This blog article has a link to a zip file that has an article about expiring certificates, and it explains exactly how to create a test certificate lasting as long as you want it to.

The other question, about "high security", is that they should still be able to install the ClickOnce application. They get installed under the user's profile, and don't require access to "C:\Program Files" or any places like that that cause so many problems on Vista.

Hope this helps!

RobinDotNet

---

Click here to visit my ClickOnce blog!