Although signing a deployment was made optional in the .NET Framework
3.5 SP1, it is still a best practice for security reasons. To sign your
deployment, you must have a code-signing certificate. You can either
create your own test certificate or obtain a certificate from a root
certificate authority (CA)—typically, a vendor or your server support
team. When you have a certificate from a CA, it displays the publisher
in the installation dialogs, which makes your application appear more
trustworthy. If you use a test (self-created) certificate, the
installation dialogs will display an "Unknown publisher" message. For
applications deployed internally in an organization, this is an
acceptable practice.
To create a test certificate in Visual Studio
- Open your main project’s property pages and click the Signing tab.
- Click Create Test Certificate.
Visual Studio will create the certificate, and add it to your
project (the certificate will have a name similar to
MyApp_Temporary.pfx). Visual Studio will also add the certificate to the
certificate store on your computer.
If you use this method on multiple applications, you will
find that they all look the same in the certificate store on your
computer, as shown in Figure 1.
Figure 1
Certificate store
If you use Mage to redeploy an application, Mage will ask for
the certificate when you sign the deployment. One option is to browse
to it in Windows Explorer, but this gets tiresome if you have to do it
repeatedly. A second option is to select it from the certificate store.
However, if you have several with the same name, you will not know which
one to select.
Rather than creating a test certificate with Visual Studio,
you can create one using the tools that came with Visual Studio and
define the name yourself. Then you can use this same certificate to sign
one or more deployments. If you use Mage to sign the application, you
can easily select your certificate from the certificate store on your
computer rather than browsing to it.
Creating and naming a test certificate is optional, but it
can make publishing and signing your deployments easier in the long run.
This section explains how to create the test certificate. The next
section explains how to use the test certificate to sign your
deployment.
To create a test certificate
- Find the Makecert.exe and Pvk2pfx.exe files.
- If you are using Visual Studio 2010, the files are in the following folder: C:\Program Files\Microsoft SDKs\Windows\v7.0A\bin\
- If you are using Visual Studio 2008, the files are in the following folder:C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin\
- Copy the files to another folder, such as C:\MakeCert\, so that you can easily find them via a Command Prompt window.
- Open a Command Prompt window and go to the folder.
- You need to create a certificate and a private key file,
and then convert those files into a .pfx file that can be used by Visual
Studio. Use the following command to create the certificate and the
private key file:makecert -sv yourprivatekeyfile.pvk -n "cert name" yourcertfile.cer -b mm/dd/yyyy -e mm/dd/yyyy -r
where:
- -sv yourprivatekeyfile.pvk is the name of the file containing the private key.
- -n "cert name" is the name that will appear on the certificate (and in the certificate store).
- yourcertfile.cer is the name of the certificate file.
- -b mm/dd/yyyy is the date when the certificate becomes valid.
- -e mm/dd/yyyy is the date when the certificate expires.
- -r indicates that this will be a self-signed certificate.
Figure 2 is an example of the command.
Figure 2
Making a certificate file
This
example creates a certificate that is valid from 4/1/2010 through
4/1/2011. You can create one that lasts longer than this, but it is not
advisable because the certificate cannot be revoked. For more
information about certificate revocation, see Certificate Revocation and Status Checking on Microsoft TechNet.
- After you enter the command, you will be prompted to set the password for the private key file, as shown in Figure 3.
Figure 3
Setting the password for the private key file
This step creates a .pvk file that contains the private key information.
- You will be prompted to enter the password to sign the actual certificate (.cer) file, as shown in Figure 4.
Figure 4
Entering the password for the private key file
- Next, you have to create the .pfx file that you will use
to sign your deployments. Open a Command Prompt window, and type the
following command:PVK2PFX –pvk yourprivatekeyfile.pvk –spc yourcertfile.cer –pfx yourpfxfile.pfx –po yourpfxpassword
where:
- -pvk yourprivatekeyfile.pvk is the private key file that you created in step 4.
- -spc yourcertfile.cer is the certificate file you created in step 4.
- -pfx yourpfxfile.pfx is the name of the .pfx file that will be created.
- -po yourpfxpassword
is the password that you want to assign to the .pfx file. You will be
prompted for this password when you add the .pfx file to a project in
Visual Studio for the first time.
Figure 5 illustrates the
commands described in steps 4 and 7, and the resulting files. When you
create the .pfx file, you will be prompted again for the password to the
private key file.
Figure 5
Making a .pfx file out of the certificate and private key files
Your .pfx file is now ready to use to sign your deployments. For procedures, see the section How to: Set the Basic ClickOnce Publishing Properties.
- In Windows Explorer, find the folder in which you created
the .pfx file. Double-click the file. This will start the import wizard.
Accept the defaults and import your certificate into the store. It will
be placed under Certificates – Current User in the Personal folder.
- To access your certificate store, click the Start button, type certmgr.msc in the search box, and then press Enter. You can see the SCSFTest example certificate in Figure 6.
Figure 6
SCSF Test certificate example in the certificate store
You will be able to retrieve the certificate from the store when you use the Mage tools.