Publishing ClickOnce: manifest signing

Despite the official MSDN docs being quite explicit, I often see questions to best practices on certificates for ClickOnce application deployment. Basically, there are two main scenarios:

  1. Publishing ClickOnce applications for external users (Internet)
  2. Publishing for a restricted group of internal users (Intranet)

An excellent document on the subject is here: http://msdn.microsoft.com/en-us/library/aa730868(VS.80).aspx 

For the first scenario, it is generally clear that a trusted certificate signed by a Certificate Authority is needed in order to ensure that the application publisher is trusted. Additionally, Trusted Application Deployment (TAD) also requires a CA signed certificate: http://msdn.microsoft.com/en-us/library/01daf08f.aspx

The second type of scenario is often asked about for internal deployments in "trusted" smaller environments - like a developer team: the overhead of a CA certificate is considered unnecessary. Because ClickOnce works with self-signed certificates (like Personal Information Exchange .pfx ), this can be used as alternative. Following things need to be considered:

  1. By default, Visual Studio will automatically generate test certificates for you and add the PFX file to your project. If several developers need to be able to publish application updates, the they must use the same certificate (otherwise the update will fail)
  2. So it should be OK to check the PFX with your project in source control and have all developers use it - Visual Studio will automatically import the PFX in the local certificate store of each machine where the project is published (ClickOnce manifest signing always works by first importing the PFX certificate in the local Certificate Store)
  3. However, VisualStudio test certificates have a limited validity: they expire after one year. It is possible to extend them, but it's not worth the risk of forgetting when it expires (which will cause application updates to fail). A better options is available: creating and using a self-signed certificate with the .NET 2.0 makecert.exe Tool:

http://msdn.microsoft.com/en-us/library/e78byta0(VS.80).aspx

The tool allows you to create a certificate with the desired expiration date and exporting this to a PFX file which can be used just like a Visual Studio test certificate. The private key can be password protected.

As a side note in this scenario, you should periodically make sure your usage of self-signed certificates is really appropriate from a security point of view.