Commercial certificate authority for Full Trust XBAP application

Question

Hi,

I am working on client server application in XBAP with Full Trust mode. Currently I have created a test certificate in my machine and using it in my application. I would like to know whether I have to purchase "any commercial certificate authority" for deploying my Full Trust enabled XBAP application or is it enough that "Test Certificate" alone?

Thanks for your reply.

---

Prabu

Answer 1

Hi Prabu,

The following is quoted from MSDN document "ClickOnce Deployment and Authenticode":

A certificate generated using the MakeCert.exe utility is commonly called a "self-cert" or a "test cert". This kind of certificate works much the same way that a .snk file works in the .NET Framework: it consists solely of a public/private cryptographic key pair, and contains no verifiable information about the publisher. You can use self-certs to deploy ClickOnce applications with high trust on an intranet; however, when these applications run on a client computer, ClickOnce will identify them as coming from an "Unknown Publisher." By default, ClickOnce applications signed with self-certs and deployed over the Internet cannot utilize Trusted Application Deployment.

By contrast, if you receive a certificate from a CA—such as a certificate vendor, or a department within your enterprise—the certificate offers more security for your users. It not only identifies the publisher of the signed software, but it verifies that identity by checking with the CA that signed it. If the CA is not the root authority, Authenticode will also "chain" back to the root authority to verify that the CA is authorized to issue certificates. For greater security, you should use a certificate issued by a CA whenever possible.

Hope this helps.

Sincerely,
Linda Liu

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

Answer 2

Hi Linda Liu,

Thanks for your comments.

I needed further information about this.

Actually, though its a intranet application (within a enterprise network with our own Root CA & a custom certificate for this application), we want to make sure that it CAN able to work 'out of the intranet' too.,

i.e., can we get a certificate for our application from vendors like VeriSign to make sure our application gets installed from internet too?

Can we use the certificate provided from Verisign for this?, if so what type of certificate do we need?

Thanks in advance.

---

Prabu

Answer 3

Hi Prabu,

MSDN document says:

There are various types of Authenticode certificates, each once configured for different types of signing. For ClickOnce applications, you must have an Authenticode certificate that is valid for code signing; if you attempt to sign a ClickOnce application with another type of certificate, such as a digital e-mail certificate, it will not work. For more information, see Introduction to Code Signing (http://msdn.microsoft.com/en-us/library/ms537361(VS.85).aspx).

> can we get a certificate for our application from vendors like VeriSign to make sure our application gets installed from internet too?

Yes, you can get a certificate from VeriSign as long as VeriSign produces certificate that is valid for code signing.

> Can we use the certificate provided from Verisign for this?, if so what type of certificate do we need?
 The certificate should be valid for code signing.

Hope this helps.

Sincerely,
Linda Liu

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.