In my previous post i talked about how to get a code signing cert for Authenticode or ClickOnce.

In a corporate environment every client has to trust this cert (e.g. if you want to suppress the trust question in ClickOnce for trusted apps).

In Active Directory you can use GPOs to distribute the certs.

Root CA Certificate
Add a GPO to AD and link at the appropriate level. Computer Settings -> Windows Settings -> Security -> Public Key Policies. Add the root CA cert under “Trusted Root Certification Authorities”

Authenticode Certificate
Add a GPO to AD and link at the appropriate level. User Settings-> Windows Settings -> Internet Explorer Maintenance -> Security -> Authenticode Settings. Click Import and then Modify. If you don’t want your users to modify their trusted publisher cert store on their own, you should also click “Lock down Trusted Publishers” as well as disable the corresponding Control Panel applet.

Then, give AD some time to think about it, err, replicate…