This page is intended for System Administrators / Technicians, who manage deployment of client software into production environments. This page helps you obtain a certificate needed for ClickOnce Deployment.
To properly sign a .NET application for ClickOnce deployment, you will need to generate a number of files.
It is important to recognize that this procedure involves working with Certificate Authorities. A Certificate Authority may have long processing times to establish authenticity of you, so contact the CA to begin processing early! The Certificate Authority must be known among client computers in your environments. You need to decide which type of Certificate Authority is appropriate for the enterprise, and there are generally two options:
The Certification Authority also need to aware of that you want a certificate for Code Signing and Authenticode purposes.
You must recognize that if the private key or Personal inFormation eXchange (PFX) is stolen, it could be abused in various scenarios to attack the enterprise which owns the certificate. It could also be abused to sign malicious software (such as spyware) in the name of the certificate owner and be distributed on the Internet. So handling these files properly is important to the enterprise's reputation and financials.
You MUST NOT use the client runtime folder on the web server when generating these files, or any other directory which the web server publishes, as it would violate these security precautions!!!
These files may be created using OpenSSL toolkit, as described in Create a private key and a Certificate Signing Request (CSR).
Remember that the private key files are sensitive!
Basically you send the CSR to a system maintained by the Certificate Authority. The Certificate Authority will then initiate a process to ensure your identity and affiliation with the enterprise, i.e. check your companies letters of incorporation (company registration), contact you and ask a few questions, etc etc. This may take some time. The Certification Authority also need to aware of that you want a certificate for Code Signing and Authenticode purposes.
Once the Certificate Authority is satisfied, they will process your CSR, sign it to create a Certificate, and finally they will send you the Certificate they have generated.
The F1mage.exe software requires a Personal inFormation eXchange (PFX) file which should include your private key and your certificate. This can be created using the OpenSSL command line toolkit:
openssl pkcs12 -export -clcerts -in codesign.cer -inkey codesign.key -out codesign.pfx
Read ClickOnce Deployment guide for this final step.