ClickOnce: Certificate cannot be validated


G

Guest

Hi,

we recently purchased a CodeSigning certificate from a CA for signing our
ClickOnce manifests. We put the certificate into the certificate storage and
use the SignFile task of MSBuild and the thumbprint we see in the storage.
However, when we run the .application file on a freshly installed machine
and click on the publisher, it says that the certificate cannot be validated.
We checked and found out that the root certificate of the publisher is
installed on the machine, but there seems to be an intermediate certificate
"Thawte Code Signing CA" , which is missing. Do we have to provide that
certifcate as well and how is this done? Or is there something else we are
doing wrong?

Best regards,

Stefanie
 
Ad

Advertisements

L

Linda Liu [MSFT]

Hi Stefanie,

Based on my understanding, you'd like to deploy a ClickOnce application
that have elevated permissions using the Trusted Application Deployment
technology, i.e. when installing the application, no user prompting occurs.
If I'm off base, please feel free to let me know.

Trusted Application Deployment, part of the ClickOnce deployment
technology, makes it easier for organizations of any size to grant
additional permissions to a managed application in a safer, more secure
manner without user prompting. With Trusted Application Deployment, an
organization can just configure a client computer to have a list of trusted
publishers, who are identified using Authenticode certificates. Thereafter,
any ClickOnce application signed by one of these trusted publishers
receives a higher level of trust.

You must follow these steps to take advantage of Trusted Application
Deployment:

1. Obtain a certificate for the publisher.
2. Add the publisher to the trusted publishers store on all clients.
3. Create your ClickOnce application.
4. Sign the deployment manifest with the publisher's certificate.
5. Publish the application deployment to client computers.

For more information on Trusted Application Deployment, you may read the
following documents:

'Trusted Application Deployment Overview'
http://msdn2.microsoft.com/en-us/library/01daf08f(VS.80).aspx

'How to: Add a Trusted Publisher to a Client Computer for ClickOnce
Applications '
http://msdn2.microsoft.com/en-us/library/ms172241.aspx

Hope this helps.

If the above information doesn't help to solve your problem, please feel
free to let me know.

Sincerely,
Linda Liu
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
 
G

Guest

Hi Linda,

thank you very much for your quick answer. I now see that I misunderstood a
part of the whole procedure but there is still one thing I don't understand
completely:

If I have a ClickOnce manifest signed with a certificate that I generated
myself, the user who installs it will get a window which says "Unknown
publisher" and displays a yellow shield in the left bottom corner of this
window.
If I have a ClickOnce manifest signed with a certificate I got from a
Certificate Authority, this shield will be green and the name of our company
as a publisher is displayed. Now, if you click on this name (which is a link
of some kind), you get a window that offers you to install the certificate.
If you do that, you probably won't get this window at all next time you
install an application signed with this certificate - do I understand this
one correctly? And the question I have now is: If you click on that name, the
window which offers to install the certificate says that the certifcate
cannot be validated and this is what I don't understand since I supposed that
would be different for a certificate from a Certificate Authority.

Best regards,

Stefanie
 
L

Linda Liu [MSFT]

Hi Stefanie,

Thank you for your prompt response.

Firstly, ClickOnce uses the manifests of the application it's about to
download to analyze the application. If there are issues in one or more of
four categories-publisher, machine access, installation, and location,
those issues are flagged by ClickOnce, before displaying the Security
Warning dialog. As long as one issue is flagged, the Security Warning
dialog is poped up when a ClickOnce application is installed for the first
time.

Ensuring that the publisher and machine access categories are not flagged
requires you to dip your toes into code signing and .NET's code access
security (CAS).

Authenticode allows users to verify the publisher of the code they want to
download, as well as hold the publisher accountable if something goes
wrong, whether maliciously or accidentally.

The foundation of Authenticode is the digital certificate, which
application publishers use to sign their code. You should absolutely
acquire a digital certificate from a CA for your publicly published
applications, or you can temporarily get away without a CA-provided
certificate for your development environment. VS05 allows you to manually
create a certificate from the Signing tab of a project's property pages by
clicking the Create Test Certificate button.

By default, a test certificate is untrusted. You need to trust a
certificate if you want to trust code signed by that certificate. Code
signed by a certificate can become trusted only if the CA is listed in the
certificate manager as a trust root certification authority; CAs like
VeriSign and thawte already are listed there. Alternatively, you can
manually add your test certificate to the Trust Root Certification
Authorities list for the same effect.

If you sign the manifest with a test certificate, when you install the
ClickOnce application for the first time, the Security Warning dialog is
poped up showing a red shield. If a user ignores this warning and clicks
Install, the application is automatically trusted and is added to the list
of Trusted Applications known to CAS.

Subsequent downloads of the same application, via manifests signed with the
same digital certificate, execute in true ClickOnce fashion, without the
Security Warning dialog being shown. If you reuse the same .pfx file (and
certificate) in a different application, users will need to trust the
publisher again, because the application is different.

Let's say that you use a real certificate purchased from a CA to sign the
manifest. When you install the ClickOnce application for the first time, if
no other security warning categories are flagged, the Security Warning
dialog is skipped during the launch process. If other security warnings are
flagged, the Security Warning dialog is still shown.This time around, the
Publisher option in the More Information dialog is OK'd.
And the question I have now is: If you click on that name, the window
which offers to install the certificate says that the certifcate cannot be
validated and this is what I don't understand since I supposed that would
be different for a certificate from a Certificate Authority.

You needn't install the certificate, because the CA has been listed in the
certificate manager as a trust root certification authority.

Hope this helps.
If you have anything unclear, please feel free to let me know.


Sincerely,
Linda Liu
Microsoft Online Community Support
 
A

Arnout Grootveld

Linda,
The foundation of Authenticode is the digital certificate, which
application publishers use to sign their code. You should absolutely
acquire a digital certificate from a CA for your publicly published
applications, or you can temporarily get away without a CA-provided
certificate for your development environment.

I think I have an issue that's very similar (or even identical) to
Stefanie's.

I have a Thawte code signing certificate that I've used to sign our
ClickOnce manifests. However, this certificate is signed by an
*intermediate* Thawte certificate, which in turn is signed by Thawte's
premium server certificate.

The latter certificate is a trusted root CA, but the intermediate
certificate isn't generally installed on client machines. Therefore, the
ClickOnce application can not be validated on those clients.

When I sign a Visio file or an executable, the complete certificate chain
is embedded in the signed file, which allows it to be verified on clients
that don't have the intermediate certificate. Is there a way to tell
mage.exe to include a complete certificate chain?


Regards,
 
G

Guest

Arnout Grootveld said:
I think I have an issue that's very similar (or even identical) to
Stefanie's.

I have a Thawte code signing certificate that I've used to sign our
ClickOnce manifests. However, this certificate is signed by an
*intermediate* Thawte certificate, which in turn is signed by Thawte's
premium server certificate.

The latter certificate is a trusted root CA, but the intermediate
certificate isn't generally installed on client machines. Therefore, the
ClickOnce application can not be validated on those clients.

When I sign a Visio file or an executable, the complete certificate chain
is embedded in the signed file, which allows it to be verified on clients
that don't have the intermediate certificate. Is there a way to tell
mage.exe to include a complete certificate chain?
yes, this is probably the reason why the Certificate cannot be validated
when the user clicks on the publisher name. Since I never tried to sign an
executable with the certificate, I didn't know that for this usage there are
ways to integrate the whole certificate chain. So I think Arnout hit the main
issue: That there seems to be a different treatment of certificates in the
case of ClickOnce than for signing executables and the like - or maybe you
just need to call the SignFile task in a different way?
 
Ad

Advertisements

L

Linda Liu [MSFT]

Hi Stefanie,

Thank you for your reply.

I searched in our inner database and found a similar issue in it. The
following is the comments:

Firstly, this is a known issue that is being addressed in the next version
of Visual Studio - The Orcas.

Click Once apps do not distribute certificate/cert chains on the fly. So
for path validation to be recognized at install time - the installing
machine must have the intermediate certificate in this specific case.

Path validation involves processing public key certificates and their
issuer certificates in a hierarchical fashion until the certificate chain
terminates at a trusted, self-signed certificate.

Typically, this is a root CA certificate. If there is a problem with one of
the certificates in the path, or if it cannot find a certificate, the
certification path is considered a non-trusted certification path.

Right now there is no way to do this, however, users are not blocked from
"installing" and "untrusted" applications.

Hope this helps.


Sincerely,
Linda Liu
Microsoft Online Community Support
 
L

Linda Liu [MSFT]

Hi Stefanie,

How about the problem now?

If you have any concerns, please feel free to let me know.

Thank you for using our MSDN Managed Newsgroup Support Service!

Sincerely,
Linda Liu
Microsoft Online Community Support
 
G

Guest

Linda,

I seem to be having the exact same problem as Stefanie and Arnout.

I have, with the help of a colleague much more knowledgeable about these
things, manually "hacked" the full certificate path into the .manifest and
..application files. However, this has not made any difference.

My colleague suggests that it is possible that the code that validates the
certificates may not be walking the certificate path due to the fact that the
certificates do not contain Authority Key Identifier (AKI) and Subject Key
Identifier (SKI) attributes, but instead appear to be using the Subject and
Issuer attributes for certificate chaining purposes. Do you think this is a
possible cause of the problem?

Basically, I would like to know who I should be contacting regarding trying
to sort this issue out - Microsoft or Thawte?

Thanks in advance,

Mark
 
Ad

Advertisements

M

Mike Quinlan

Awesome response, very helpful. Thank You



v-lli wrote:

Hi Stefanie,Thank you for your prompt response.
15-Jun-07

Hi Stefanie,

Thank you for your prompt response.

Firstly, ClickOnce uses the manifests of the application it's about to
download to analyze the application. If there are issues in one or more of
four categories-publisher, machine access, installation, and location,
those issues are flagged by ClickOnce, before displaying the Security
Warning dialog. As long as one issue is flagged, the Security Warning
dialog is poped up when a ClickOnce application is installed for the first
time.

Ensuring that the publisher and machine access categories are not flagged
requires you to dip your toes into code signing and .NET's code access
security (CAS).

Authenticode allows users to verify the publisher of the code they want to
download, as well as hold the publisher accountable if something goes
wrong, whether maliciously or accidentally.

The foundation of Authenticode is the digital certificate, which
application publishers use to sign their code. You should absolutely
acquire a digital certificate from a CA for your publicly published
applications, or you can temporarily get away without a CA-provided
certificate for your development environment. VS05 allows you to manually
create a certificate from the Signing tab of a project's property pages by
clicking the Create Test Certificate button.

By default, a test certificate is untrusted. You need to trust a
certificate if you want to trust code signed by that certificate. Code
signed by a certificate can become trusted only if the CA is listed in the
certificate manager as a trust root certification authority; CAs like
VeriSign and thawte already are listed there. Alternatively, you can
manually add your test certificate to the Trust Root Certification
Authorities list for the same effect.

If you sign the manifest with a test certificate, when you install the
ClickOnce application for the first time, the Security Warning dialog is
poped up showing a red shield. If a user ignores this warning and clicks
Install, the application is automatically trusted and is added to the list
of Trusted Applications known to CAS.

Subsequent downloads of the same application, via manifests signed with the
same digital certificate, execute in true ClickOnce fashion, without the
Security Warning dialog being shown. If you reuse the same .pfx file (and
certificate) in a different application, users will need to trust the
publisher again, because the application is different.

Let's say that you use a real certificate purchased from a CA to sign the
manifest. When you install the ClickOnce application for the first time, if
no other security warning categories are flagged, the Security Warning
dialog is skipped during the launch process. If other security warnings are
flagged, the Security Warning dialog is still shown.This time around, the
Publisher option in the More Information dialog is OK'd.

which offers to install the certificate says that the certifcate cannot be
validated and this is what I don't understand since I supposed that would
be different for a certificate from a Certificate Authority.

You needn't install the certificate, because the CA has been listed in the
certificate manager as a trust root certification authority.

Hope this helps.
If you have anything unclear, please feel free to let me know.


Sincerely,
Linda Liu
Microsoft Online Community Support

Previous Posts In This Thread:

ClickOnce: Certificate cannot be validated
Hi,

we recently purchased a CodeSigning certificate from a CA for signing our
ClickOnce manifests. We put the certificate into the certificate storage and
use the SignFile task of MSBuild and the thumbprint we see in the storage.
However, when we run the .application file on a freshly installed machine
and click on the publisher, it says that the certificate cannot be validated.
We checked and found out that the root certificate of the publisher is
installed on the machine, but there seems to be an intermediate certificate
"Thawte Code Signing CA" , which is missing. Do we have to provide that
certifcate as well and how is this done? Or is there something else we are
doing wrong?

Best regards,

Stefanie

Hi Stefanie,Based on my understanding, you'd like to deploy a ClickOnce
Hi Stefanie,

Based on my understanding, you'd like to deploy a ClickOnce application
that have elevated permissions using the Trusted Application Deployment
technology, i.e. when installing the application, no user prompting occurs.
If I'm off base, please feel free to let me know.

Trusted Application Deployment, part of the ClickOnce deployment
technology, makes it easier for organizations of any size to grant
additional permissions to a managed application in a safer, more secure
manner without user prompting. With Trusted Application Deployment, an
organization can just configure a client computer to have a list of trusted
publishers, who are identified using Authenticode certificates. Thereafter,
any ClickOnce application signed by one of these trusted publishers
receives a higher level of trust.

You must follow these steps to take advantage of Trusted Application
Deployment:

1. Obtain a certificate for the publisher.
2. Add the publisher to the trusted publishers store on all clients.
3. Create your ClickOnce application.
4. Sign the deployment manifest with the publisher's certificate.
5. Publish the application deployment to client computers.

For more information on Trusted Application Deployment, you may read the
following documents:

'Trusted Application Deployment Overview'
http://msdn2.microsoft.com/en-us/library/01daf08f(VS.80).aspx

'How to: Add a Trusted Publisher to a Client Computer for ClickOnce
Applications '
http://msdn2.microsoft.com/en-us/library/ms172241.aspx

Hope this helps.

If the above information doesn't help to solve your problem, please feel
free to let me know.

Sincerely,
Linda Liu
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Linda,thank you very much for your quick answer.
Hi Linda,

thank you very much for your quick answer. I now see that I misunderstood a
part of the whole procedure but there is still one thing I don't understand
completely:

If I have a ClickOnce manifest signed with a certificate that I generated
myself, the user who installs it will get a window which says "Unknown
publisher" and displays a yellow shield in the left bottom corner of this
window.
If I have a ClickOnce manifest signed with a certificate I got from a
Certificate Authority, this shield will be green and the name of our company
as a publisher is displayed. Now, if you click on this name (which is a link
of some kind), you get a window that offers you to install the certificate.
If you do that, you probably won't get this window at all next time you
install an application signed with this certificate - do I understand this
one correctly? And the question I have now is: If you click on that name, the
window which offers to install the certificate says that the certifcate
cannot be validated and this is what I don't understand since I supposed that
would be different for a certificate from a Certificate Authority.

Best regards,

Stefanie



:

Hi Stefanie,Thank you for your prompt response.
Hi Stefanie,

Thank you for your prompt response.

Firstly, ClickOnce uses the manifests of the application it's about to
download to analyze the application. If there are issues in one or more of
four categories-publisher, machine access, installation, and location,
those issues are flagged by ClickOnce, before displaying the Security
Warning dialog. As long as one issue is flagged, the Security Warning
dialog is poped up when a ClickOnce application is installed for the first
time.

Ensuring that the publisher and machine access categories are not flagged
requires you to dip your toes into code signing and .NET's code access
security (CAS).

Authenticode allows users to verify the publisher of the code they want to
download, as well as hold the publisher accountable if something goes
wrong, whether maliciously or accidentally.

The foundation of Authenticode is the digital certificate, which
application publishers use to sign their code. You should absolutely
acquire a digital certificate from a CA for your publicly published
applications, or you can temporarily get away without a CA-provided
certificate for your development environment. VS05 allows you to manually
create a certificate from the Signing tab of a project's property pages by
clicking the Create Test Certificate button.

By default, a test certificate is untrusted. You need to trust a
certificate if you want to trust code signed by that certificate. Code
signed by a certificate can become trusted only if the CA is listed in the
certificate manager as a trust root certification authority; CAs like
VeriSign and thawte already are listed there. Alternatively, you can
manually add your test certificate to the Trust Root Certification
Authorities list for the same effect.

If you sign the manifest with a test certificate, when you install the
ClickOnce application for the first time, the Security Warning dialog is
poped up showing a red shield. If a user ignores this warning and clicks
Install, the application is automatically trusted and is added to the list
of Trusted Applications known to CAS.

Subsequent downloads of the same application, via manifests signed with the
same digital certificate, execute in true ClickOnce fashion, without the
Security Warning dialog being shown. If you reuse the same .pfx file (and
certificate) in a different application, users will need to trust the
publisher again, because the application is different.

Let's say that you use a real certificate purchased from a CA to sign the
manifest. When you install the ClickOnce application for the first time, if
no other security warning categories are flagged, the Security Warning
dialog is skipped during the launch process. If other security warnings are
flagged, the Security Warning dialog is still shown.This time around, the
Publisher option in the More Information dialog is OK'd.

which offers to install the certificate says that the certifcate cannot be
validated and this is what I don't understand since I supposed that would
be different for a certificate from a Certificate Authority.

You needn't install the certificate, because the CA has been listed in the
certificate manager as a trust root certification authority.

Hope this helps.
If you have anything unclear, please feel free to let me know.


Sincerely,
Linda Liu
Microsoft Online Community Support

Linda,I think I have an issue that's very similar (or even identical) to
Linda,


I think I have an issue that's very similar (or even identical) to
Stefanie's.

I have a Thawte code signing certificate that I've used to sign our
ClickOnce manifests. However, this certificate is signed by an
*intermediate* Thawte certificate, which in turn is signed by Thawte's
premium server certificate.

The latter certificate is a trusted root CA, but the intermediate
certificate isn't generally installed on client machines. Therefore, the
ClickOnce application can not be validated on those clients.

When I sign a Visio file or an executable, the complete certificate chain
is embedded in the signed file, which allows it to be verified on clients
that don't have the intermediate certificate. Is there a way to tell
mage.exe to include a complete certificate chain?


Regards,

--
Arnout.

RE: ClickOnce: Certificate cannot be validated
:

yes, this is probably the reason why the Certificate cannot be validated
when the user clicks on the publisher name. Since I never tried to sign an
executable with the certificate, I didn't know that for this usage there are
ways to integrate the whole certificate chain. So I think Arnout hit the main
issue: That there seems to be a different treatment of certificates in the
case of ClickOnce than for signing executables and the like - or maybe you
just need to call the SignFile task in a different way?

Hi Stefanie,Thank you for your reply.
Hi Stefanie,

Thank you for your reply.

I searched in our inner database and found a similar issue in it. The
following is the comments:

Firstly, this is a known issue that is being addressed in the next version
of Visual Studio - The Orcas.

Click Once apps do not distribute certificate/cert chains on the fly. So
for path validation to be recognized at install time - the installing
machine must have the intermediate certificate in this specific case.

Path validation involves processing public key certificates and their
issuer certificates in a hierarchical fashion until the certificate chain
terminates at a trusted, self-signed certificate.

Typically, this is a root CA certificate. If there is a problem with one of
the certificates in the path, or if it cannot find a certificate, the
certification path is considered a non-trusted certification path.

Right now there is no way to do this, however, users are not blocked from
"installing" and "untrusted" applications.

Hope this helps.


Sincerely,
Linda Liu
Microsoft Online Community Support

Hi Stefanie,How about the problem now?
Hi Stefanie,

How about the problem now?

If you have any concerns, please feel free to let me know.

Thank you for using our MSDN Managed Newsgroup Support Service!

Sincerely,
Linda Liu
Microsoft Online Community Support

Linda,I seem to be having the exact same problem as Stefanie and Arnout.
Linda,

I seem to be having the exact same problem as Stefanie and Arnout.

I have, with the help of a colleague much more knowledgeable about these
things, manually "hacked" the full certificate path into the .manifest and
..application files. However, this has not made any difference.

My colleague suggests that it is possible that the code that validates the
certificates may not be walking the certificate path due to the fact that the
certificates do not contain Authority Key Identifier (AKI) and Subject Key
Identifier (SKI) attributes, but instead appear to be using the Subject and
Issuer attributes for certificate chaining purposes. Do you think this is a
possible cause of the problem?

Basically, I would like to know who I should be contacting regarding trying
to sort this issue out - Microsoft or Thawte?

Thanks in advance,

Mark

EggHeadCafe - Software Developer Portal of Choice
Uploading & Downloading Files using ASP.NET
http://www.eggheadcafe.com/tutorial...cd-7cc6fc1980a4/uploading--downloading-f.aspx
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top