Re: ClickOnce and Certificate

Hi, 

well - you should care!

As developers it is our responsibility to keep the number of times a user is presented with these security dialogs as low as possible.

You want that a client is running your code - then establish some kind of trust relationship. Thats for the philosophical part.

Technically - execution of ClickOnce app without manifests signed by a trusted publisher can be administratively disabled - which would render your app inoperational. Thats a company policy thing - like disabling cookies or javascript - and btw - my recommendation to every IT guy i talk to.

To get a cert for ClickOnce you have 3 options basically

1: makecert: only for testing purposes
2: Windows CA (comes with Windows Server)
3: a commercial one

1 is OK for test purposes. 2 is fine for internal apps and extranet scenarios (or you have to go through the process that your clients must trust your internal CA)

3 is the easiest if your software will get used by clients which don't have a trust relationship to your CA - external clients.

So you need a code signing cert every 12 months - which isn't too bad and btw - ClickOnce supports time stamping servers - which means your signed manifests don't expire when you cert expires and you *don't* have to re-sign your apps every 12 months.. You just have to use the new cert for new signatures.



---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

I am looking into deploying a ClickOnce application and am reading all
these things about how you need a certificate to make ClickOnce work.

After looking around, I found that I can use a utility called
MakeCert.exe to make my own certificate but then the documentation
says that the certification created with this utility is for testing
purpose and should not be used for commercial purpose because I think
it won't work.

So what am I supposed to do? Is my only option to go and pay for the
certificate? What if I don't care that my user see the *danger don't
install software from unknown publishers or you will die* message when
they install our software? What are my options?

Thanks



.

Relevant Pages

  • Re: IIS Server/Client Authentication
    ... I have my root certificate loaded ... > 3) make sure you are entering the correct client cert pswd ... >>I'm trying to secure my asp web app. ...
    (microsoft.public.inetserver.iis.security)
  • How to refuse to operate if an invalid certificate is received ?
    ... We have some app´s that use digital certificate. ... But, even though the browser says the cert is invalid, the user can continue and use the app. ... Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. ...
    (Security-Basics)
  • Re: SSL on IIS6
    ... The app comes up and works but every second or third screen I get the ... >> created with cert server. ... >> the cert server create a cert that isn't working? ...
    (microsoft.public.inetserver.iis.security)
  • Re: Advice Needed...
    ... will notice something is wrong with the general look of the app. ... Access developers don't seem to notice these things for some reason. ... I've written controls before and made every effort ... never liked about VB6 is the lack of a design-time size-to-fit feature. ...
    (microsoft.public.vb.general.discussion)
  • Re: Accessing certificate store from ASP.NET web project
    ... My app gives you the name of the private key container - now you only need System.Security.AccessControl to set the necessary ACLs on it. ... case the cert must be in the local computer/personal) store - it will ... certificate two weeks ago. ... different user context than my vb.net web project. ...
    (microsoft.public.dotnet.security)