Although signing a deployment was made optional in the .NET Framework
3.5 SP1, it is still a best practice for security reasons. To sign your
deployment, you must have a code-signing certificate. You can either
create your own test certificate or obtain a certificate from a root
certificate authority (CA)—typically, a vendor or your server support
team. When you have a certificate from a CA, it displays the publisher
in the installation dialogs, which makes your application appear more
trustworthy. If you use a test (self-created) certificate, the
installation dialogs will display an "Unknown publisher" message. For
applications deployed internally in an organization, this is an
acceptable practice.
To create a test certificate in Visual Studio
If you use this method on multiple applications, you will find that they all look the same in the certificate store on your computer, as shown in Figure 1.
Figure 1
If you use Mage to redeploy an application, Mage will ask for the certificate when you sign the deployment. One option is to browse to it in Windows Explorer, but this gets tiresome if you have to do it repeatedly. A second option is to select it from the certificate store. However, if you have several with the same name, you will not know which one to select.
Rather than creating a test certificate with Visual Studio, you can create one using the tools that came with Visual Studio and define the name yourself. Then you can use this same certificate to sign one or more deployments. If you use Mage to sign the application, you can easily select your certificate from the certificate store on your computer rather than browsing to it.
Creating and naming a test certificate is optional, but it can make publishing and signing your deployments easier in the long run. This section explains how to create the test certificate. The next section explains how to use the test certificate to sign your deployment.
To create a test certificate
To create a test certificate in Visual Studio
- Open your main project’s property pages and click the Signing tab.
- Click Create Test Certificate.
If you use this method on multiple applications, you will find that they all look the same in the certificate store on your computer, as shown in Figure 1.
Figure 1
If you use Mage to redeploy an application, Mage will ask for the certificate when you sign the deployment. One option is to browse to it in Windows Explorer, but this gets tiresome if you have to do it repeatedly. A second option is to select it from the certificate store. However, if you have several with the same name, you will not know which one to select.
Rather than creating a test certificate with Visual Studio, you can create one using the tools that came with Visual Studio and define the name yourself. Then you can use this same certificate to sign one or more deployments. If you use Mage to sign the application, you can easily select your certificate from the certificate store on your computer rather than browsing to it.
Creating and naming a test certificate is optional, but it can make publishing and signing your deployments easier in the long run. This section explains how to create the test certificate. The next section explains how to use the test certificate to sign your deployment.
To create a test certificate
- Find the Makecert.exe and Pvk2pfx.exe files.
- If you are using Visual Studio 2010, the files are in the following folder: C:\Program Files\Microsoft SDKs\Windows\v7.0A\bin\
- If you are using Visual Studio 2008, the files are in the following folder:C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin\
- Copy the files to another folder, such as C:\MakeCert\, so that you can easily find them via a Command Prompt window.
- Open a Command Prompt window and go to the folder.
- You need to create a certificate and a private key file,
and then convert those files into a .pfx file that can be used by Visual
Studio. Use the following command to create the certificate and the
private key file:makecert -sv yourprivatekeyfile.pvk -n "cert name" yourcertfile.cer -b mm/dd/yyyy -e mm/dd/yyyy -r
where:
- -sv yourprivatekeyfile.pvk is the name of the file containing the private key.
- -n "cert name" is the name that will appear on the certificate (and in the certificate store).
- yourcertfile.cer is the name of the certificate file.
- -b mm/dd/yyyy is the date when the certificate becomes valid.
- -e mm/dd/yyyy is the date when the certificate expires.
- -r indicates that this will be a self-signed certificate.
Figure 2
This example creates a certificate that is valid from 4/1/2010 through 4/1/2011. You can create one that lasts longer than this, but it is not advisable because the certificate cannot be revoked. For more information about certificate revocation, see Certificate Revocation and Status Checking on Microsoft TechNet. - After you enter the command, you will be prompted to set the password for the private key file, as shown in Figure 3.
Figure 3
This step creates a .pvk file that contains the private key information. - You will be prompted to enter the password to sign the actual certificate (.cer) file, as shown in Figure 4.
Figure 4
- Next, you have to create the .pfx file that you will use
to sign your deployments. Open a Command Prompt window, and type the
following command:PVK2PFX –pvk yourprivatekeyfile.pvk –spc yourcertfile.cer –pfx yourpfxfile.pfx –po yourpfxpassword
where:
- -pvk yourprivatekeyfile.pvk is the private key file that you created in step 4.
- -spc yourcertfile.cer is the certificate file you created in step 4.
- -pfx yourpfxfile.pfx is the name of the .pfx file that will be created.
- -po yourpfxpassword is the password that you want to assign to the .pfx file. You will be prompted for this password when you add the .pfx file to a project in Visual Studio for the first time.
Figure 5
Your .pfx file is now ready to use to sign your deployments. For procedures, see the section How to: Set the Basic ClickOnce Publishing Properties. - In Windows Explorer, find the folder in which you created the .pfx file. Double-click the file. This will start the import wizard. Accept the defaults and import your certificate into the store. It will be placed under Certificates – Current User in the Personal folder.
- To access your certificate store, click the Start button, type certmgr.msc in the search box, and then press Enter. You can see the SCSFTest example certificate in Figure 6.
Figure 6
You will be able to retrieve the certificate from the store when you use the Mage tools.
No comments:
Post a Comment