ClickOnce certificates in a nutshell

I have gotten a lot of questions surrounding the use of certificates in ClickOnce. Here are the key facts to understand:

  • You must sign your ClickOnce manifests with an Authenticode certificate. VS 2005 will do this for you when you publish an application.

  • Authenticode certificates are not the same thing as an SSL certificate or an X509 client certificate used for authentication purposes, even though they are all based on the same technology.

  • You can generate your own certificate using Visual Studio, or the makecert command line utility. In this case, you are both the publisher represented by the certificate and the certificate issuing authority. You will sometimes see this referred to as a self-signed certificate.

  • A third party issued certificate (i.e. Verisign, Thawte) is the preferred approach. These companies are already configured in Windows as trusted root certificate authorities (CA), and because they are third party verified, there is an additional level of implied trust associated with them.

  • If you are part of a large enterprise domain and you have a domain CA, that CA can issue you a publisher cert for your domain that you can use, and your publisher certificate can be pushed out to client machines through group policy or SMS.

  • If user prompting is acceptable for elevating privileges (based onthe permissions requested by the application in its manifest and the permissions that would be granted by code access security based on the launch URL), then there is no need to install any certificates on the client side.

  • If you want to avoid user prompting, you need to install your publisher certificate in the Trusted Publishers store on the client machine.

  • At runtime, certificate checks are only done against the local certificate stores on the client machine. Specifically, the certificate used to sign the manifests is checked for in the Trusted Publishers store, and the issuer of that certificate is checked for in the Trusted Root Certificate Authorities store.

If you want more information on configuring certificates and how they work at runtime, you should check out my article on MSDN Online: