ClickOnce Publisher Certificate Renewals and Updating Your Application

A fairly messy little detail of ClickOnce has surfaced that I wanted to get some word out about regarding publisher certificate renewals and how they affect ClickOnce.

ClickOnce only allows you to perform an update to an application if the updated version manifests are signed by the same publisher certificate as was used to originally sign the application.

When ClickOnce was designed, the product team understanding was that certificate issuers such as Verisign and thawte would renew certificates without re-issuing a new certificate (with a new private/public key pair). Unfortunately, that understanding was incorrect. Certificate issuers do in fact issue a whole new cert, just one that has the same CN (Common Name) when they do a renewal.

The result of this is that if you have a ClickOnce application in production and your publisher cert expires, you will no longer be able to issue updates to your application with your new cert. You will have to have users uninstall the previous version and install the new version as a fresh install.

To combat this for the near term, you may want to consider buying a cert that lasts longer than a year.

Microsoft is looking into a fix for this in the Orcas release, but the details of what that fix will look like and how it will affect the update process is yet to be determined.