If you want to use the trusted deployment feature of ClickOnce (or just plain Authenticode), you need a certificate with an intended purpose of at least “code signing”.
You have 3 options
- Generate a self signed certificate using makecert.exe (only for testing purposes)
- Get one from a public CA like VeriSign
- Configure your internal (Windows) CA to issue this type of certificate
For corporate scenarios option 3 seems to be most likely. Here is how you get it to work.
Windows 2003 Enterprise CAs have so called “Certificate Templates” installed (certtmpl.msc). These templates configure the settings of issuable certificates. There is already a pre-installed template for “Code Signing”. This template has a validity period of 1 year. If you want to modify the template (only supported on W2K3 Enterprise Edition), call “Duplicate Template”, give it a new name and change the settings of the template. Either way, you have to modify the security settings. Give the user(s) who should be allowed the request such a certificate the “Enroll” permission.
After that go to the console of your CA and navigate to the “Certificate Templates” folder. Click “New->Certificate Templates to Issue”, and select your code signing template.
Now you can request this type of certificate from the CA web interface or the client side “Certificates” MMC snap-in.
For Authenticode (and ClickOnce) there are two prerequisites:
- You have to add the code signing certificate to the client’s “Trusted Publishers” (machine) store
- This cert has to have a trusted root (if you are using an enterprise CA, this is done automatically by AD), otherwise you have to add the CA cert to the “Trusted Root Certificate Authorities” folder
After that, you can use the certificate to sign binaries using “signcode.exe” as well as signing application manifests in ClickOnce (more info here).