Signing WinForms ClickOnce app with Certificate Chain


David I A Grant

Hello all,

Now this is a bit involved, so please bear with me :blush:)

I have a Thawte code signing certificate and I am trying to use it to sign
C# WinForms project for ClickOnce deployment via the signing screen in VS2008.

I was issued PVK and SPC files by Thawte which I used to create a PFX file
including the full certification path. The PFX file can then be used with
Visual Studio. Thawte use an intermediate certificate for code signing so my
certificate is chained to the Thawte root certificate via their intermediate
certificate. Creating the PFX file with the full chain embeds the
intermediate certificate which is necessary as client machines will only
include the root.

Our build server includes the full certification chain in its store in order
to complete the signing process and performing a fresh install of the built
application on this machine correctly shows the 'green tick' for a valid

Unfortunately when I try and perform a fresh install of the click once
application on a client machine it shows a 'yellow warning' instead as it is
unable to complete the certification path. The machine does not have the
intermediate certificate installed but it should be included in the signature.

Now, if you check the digital signature for the setup.exe file (right click
-> digital signatures) then you can see that the signature is valid and that
the certification path is complete, indicating that the certificate included
the full path as intended.

This leads me to believe that there may be two types of 'code signing' going
on, one a 'normal' authenticode type signing and another xml signature of the
manifest, that are working inconsistently. It seems that the signature on
the setup.exe includes the full chain, but when trying to install the
application it indicates the chain is broken.

From googling this (see
it looks like this was confirmed as an issue with VS2005 that was intended to
be addressed.

Any suggestions on how I can get the ClickOnce installation to find the
intermediate certificate? Note that getting our clients to install the
intermediate certificate as a one-off step is not an option...

Thanks very much,


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question