ClickOnce: Certificate cannot be validated

  • Thread starter Thread starter Tony Rogers
  • Start date Start date
T

Tony Rogers

Hi,

We are signing our ClickOnce manifests with a code signing certificate
purchased from Thawte. When we install the software a security warning is
shown, and when we click on the publisher it says the certificate can not be
validated. This is because the "Thawte Code Signing CA" is not present on
the client machines.

Having done a web search, I found a previous post in this group describing
exactly the same issue - viewable at:
http://groups.google.com/group/micr...hread/thread/8c46df2acf25d54/4c1c4221f69fa09e

From one reply from Linda Liu [MSFT]:
I searched in our inner database and found a similar issue in it. The
following is the comments:
Click to expand...
Firstly, this is a known issue that is being addressed in the next version
of Visual Studio - The Orcas.

Click Once apps do not distribute certificate/cert chains on the fly. So
for path validation to be recognized at install time - the installing
machine must have the intermediate certificate in this specific case.
Click to expand...

My investigations have not yet turned up any CAs that offer code signing
certificates that directly chain from certificates we will find on our very
vanilla customer machines - they all seem to use intermediate certs. (I'd
love to be proved wrong on this...)

My real question relates to the comment that this is being addressed in the
Orcas release of Visual Studio. Is this true? If so, is there support in
framework 3.5 that can be accessed via cClickOnce APIs?

Thanks,

Tony
 
Hi Tony,

If the certificate you use to sign your ClickOnce manifest is signed by an
intermediate Thawte certificate, which in turn is signed by Thawte's
premium server certificate, you can install the intermediate certificate
into the client machine to solve the problem.

As for the comment "this is a known issue that is being addressed in the
next version of Visual Studio - The Orcas.", I am not sure whether it has
already been addressed in VS2008 or not. I will consult this issue in our
internal discussion group. As soon as I get an answer, I will get it back
to you.

I appreciate your patience!

Sincerely,
Linda Liu
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi Linda,

Thanks for the quick response.

Unfortunately, as we produce an internet distributed application, we are not
in a position to install certificates on the client. Asking our clients to
do this would somwhat diminish the value of ClickOnce (as there are quite a
few clicks involved in installing a certificate), and raise a few eyebrows.

I eagerly await your update re. whether this has been fixed in VS2008/.NET
3.5

Cheers...

Tony
 
Hi Tony,

This is a quick note to let you know that I'm still consulting this issue.
As soon as I get an answer, I will update in the newsgoup.

I appreciate your patience!

Sincerely,
Linda Liu
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi Tony,

I haven't got an answer so far. After discussing this issue with my
manager, we decide to escalate this issue, i.e. have a Product Support
Professional from Microsoft CSS work with you to resolution. Please note
that there will be no cost to you for this support incident.

To expedite creation of the support incident, please e-mail me with the
following information (to get my actual email address, remove 'online' from
my displayed email address):

o Customer Name
o Customer email address
o Company Name, if applicable
o Best times to reach you, and your time zone.
o Microsoft Support Contract Information, if applicable
o Complete Address
o Daytime Telephone Number
o Operating System(s) In Use
o Operating System Language, especially if not US English
o Application Language, especially if not US English
o Any additional telephone number(s), in case you cannot be reached at your
primary telephone number.

After I receive an e-mail from you with the requested information, I will
create a support incident for you. Then, one of our support professionals
will contact you to establish a mutually convenient time to work on this.

Thank you again for your patience in working on this issue in the community.

Sincerely,
Linda Liu
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi Tony,

I haven't received your email containing the required information so far.

If you need our further assitance, please e-mail me the required
information so we can create a support incident for you.

To get my actual email address, remove 'online' from my displayed email
address.

Sincerely,
Linda Liu
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top