I have an XBAP app that I would like to publish. This app requires FullTrust, so I need to sign it.
I can do that and publish the app. However clients who do not have my certificate cannot install/run the app, they would have to install the certificate before doing that.
Is there a way to avoid or automate it? Either embed the certificate installation within the deployment (Click-once) or maybe sign the app use service like VerySign (e.g.)?
Is SSL a topic that might help here?
You will need to sign the clickonce using a certificate from a trusted certificate authority such as Verisign as you suggest. Otherwise you'll need the users to distribute the certificate you've generated to your users and have them install it on their local machines.
Related
I have written an application, that I'm publishing to my webpage everytime I make changes via the "Publishing Assistant" in VS13. If I'm going to install it on my PC from my website Windows tells me that the application would not be trustful. How do I change this? Where do I get an certificate for signing it?
You buy a certificate from any trusted certificate provider. To not to promote any specific provider, I'll just recommend you to google for "buy code signing certificate", if you really can't find a provider on your own.
Then, at the properties tabs, navigate to the "Signing" tab and point to your certificate file. The package will be signed upon building.
I am developing an office add-in application. We want to try the auto update function of the ClickOnce in the Visual Studio.
This is our first time to publish the software online. And we used a certificate created by ourselves to sign the software. We met a problem. we put our software on our server, when we try to run the .exe file after we download this file from our server.
It gives the below error:
Customized functionality in this application will not work because the
certificate used to sign the deployment manifest for wordadd or its
location is not trusted. Contact your administrator for further
assistance.
Then we export the certificate created by the developer and import into the computer that we want to download the software. It would not show above error. It also can auto update. But we cannot ask our users to do this. It really inconvenient ask our users to do this. So we just wonder that whether this problem can be solved if we buy the certificate from the certificate provider.
Below is a question also about this problem, they still have this problem even they already bought certificate.
Cannot install ClickOnce - Certificate Not Trusted
Buying a code-signing certificate greatly increases the chances that your software will work as-in on your users' machines, but in the end it all boils down to the following question
Is the certificate used to sign this application trusted by the machine?
The answer to that question is a definite no for your self-signed certificate, but it's not guaranteed to be yes for the certificate you'll buy.
The big / reliable certification authorities are trusted by default on most machines (see the Trusted Root Certification Authorities store on a Windows machine), but if your user (or big-corp's IT) removed the default authorities from the certificate store you're back to square one and you'll have to ask the user to explicitly trust your certificate. There's no easy workaround!
In the end, buying a certificate from a trusted CA will solve your problem on most machines but it's not bullet proof. You should be ready to support users who don't trust the default CAs by telling them to import your certificate.
I have a ClickOnce application where the web server certificate is about to expire.
I need to clarify whether all the certificate expiration questions and comments about programs not working and needing to be uninstalled/reinstalled are from the CODE signing cert expiring or the IIS WEB cert expiring?
Would I be right in saying that if the web server cert expires, the only issue is that users who download from the publicly available website will get an untrusted publisher prompt, they say yes and then it works from then on?
Or will it flat out not work as the package is specifying https and it can't use https if the web server cert has expired?
Any assistance greatly appreciated.
server certificate has nothing to do with the CODE SIGNING certificate you used for your clickonce application. So you are correct - users who will open webpage to download the installer will see "invalid certificate" message from the browser. But after they download the app, it will install just fine.
Please note - i assume you used timestamp server when you were signing your clickonce app. Otherwise, your signed clickonce app will expire when your code signing certificate expires. But again - that's a side note and it has nothing to do with the web server certificate.
I have already installed the ssl cert in user PC. And, I also imported the cert under Local computer of Trusted Root Certification Authorities. I am trying to consume the web servcie. In my code I attach the cert as below.
webservice.ClientCertificates.Add(X509Certificate.CreateFromCertFile(certPath));
But I got the following error.
Cannot find the certificate in either the LocalMachine store or the CurrentUser store
What could be the issue? I'm using .Net Framework 2.0. So, not able to use WCF. Thanks.
That means,
probably you have the wrong certificates installed.
you installed the certificates to the wrong place.
An easy way to tell if you have a client certificate installed properly is
launch IE.
Open Tools | Internet options.
In Content tab, click Certificates button.
Then you should see the cert in Personal (read cert path and see whether it contains errors), and will be able to use it in your WinForms application.
I experienced similar issue. In my case it was solved by using MMC and giving Full control rights of the certificate for user IIS_IUSRS. My Website is running under ApplicationPoolIdentity. This answer guided me to the right path: How to give ASP.NET access to a private key in a certificate in the certificate store?
I had the same error when trying to connect to a service that hadn't been set to use SSL. Once I change the configuration of the service to use SSL, the connection worked fine.
Also you may get that error if the account doesn't have access to the private key, which WinHttpCertCfg.exe from the Windows Resource Kit can solve.
I have a .net 2.0 windows service application written in C# that access a non-soap web service via SSL with HttpWebRequest. My windows service runs under the NETWORK SERVICE account.
I am able to make SSL work by issuing a cert to the web server that my windows service talks to from a CA, then installing the CA's cert to the Local Machine\trusted root store.
What I would like to be able to do is to install the CA's cert to the "service account" trusted root cert store instead of the "local machine" store, and have this "just work."
In other words, it seems that the SSL authentication used by the .net framework is hard coded to check the current user store, and the local machine store for trusted roots when validating an SSL certificate, but is there any clean way to get it to check the "service account" store instead of (or in addition to) the other stores?
The only solution I can come up with is to override the ServicePointManager.ServerCertificateValidationCallback and then P/Invoke to the Crypto API to open the "service account" cert store in Win32, and manually search for the root in there. I'd rather not do that, since it would seem to be a pretty large performance penalty, having to wait for failure from 2 cert stores I don't intend to use anyway.
Possibly, i'm taking entirely the wrong approach here, but it really seems like I'm missing a simply way to solve my problem.
If your code controls the server it is talking to, then why dont you just return "true" from the CertValidationCallback? It is not as if the server cert will change every time you make a request?
Unless you really need the system to also verify other things related to the cert, for eg CRL, expiry etc, you might just make it work by implementing a custom cert validation callback.
If you really want to install the cert into the NETWORK_SERVICE a/c context, then there are tools from Microsoft to help you do that.
http://support.microsoft.com/kb/901183
http://web.asu.edu/community/installing-client-certificate-windows-machine
http://www.derkeiler.com/Newsgroups/microsoft.public.dotnet.security/2008-03/msg00011.html
good luck!