none
Certificate hell RRS feed

  • Question

  • I am aboout ready to pull my hair out.

    I am developing an excel addin (VSTO) and i am having trouble getting my add-in installed. The message that i keep receiving is that the publisher of my add-in is not trusted and therefore installation cannot be completed succesfullly.

    What i did is this:

    I created a root certificate authority for my company for the purpose of creating code signing certificates. The CA is added to the Trusted Root Authorities of the localmachine.

    The CA is then used to create the code signing certificate and that certificate is then used to sign the add-in and some libraries with...

    The code signing certificate is added to the localmachine Trusted Publishers store...

    I open excel and the error comes up:

    "The solution cannot be installed because it is signed by a publisher whom you have not yet chosen to trust. If you trust the publisher, add the certificate to the Trusted Publisher list."

    I am a bit clueless what to do right now.

    OS: Windows 7 x64
    Office 2013 Pro 32bit version
    VS2012

    Used makecert to create the certificates:

    Root CA:

    makecert -r -pe -n "CN=My CA" -ss CA -sr CurrentUser -a sha256 -cy authority -sky signature -sv MyCA.pvk MyCA.cer

    Code Signing Certificate:

    makecert -pe -n "CN=My SPC" -a sha256 -cy end -sky signature -ic MyCA.cer -iv MyCA.pvk -sv MySPC.pvk MySPC.cer

    Hope someone has a clue because i am lost.

    Evert

    Tuesday, May 12, 2015 9:47 AM

All replies

  • Evert, 

    The makecert.exe is used for creating a temporary certificates (for testing purposes only).

    You need to purchase a valid certificate from a trusted vendor like VeriSign and etc.

    The Certificate Creation tool generates X.509 certificates for testing purposes only. It creates a public and private key pair for digital signatures and stores it in a certificate file. This tool also associates the key pair with a specified publisher's name and creates an X.509 certificate that binds a user-specified name to the public part of the key pair.

    Tuesday, May 12, 2015 10:38 AM
  • AFAIK it should be perfectly okay to use self-signed certificates for use in a contolled environment (intranet) and there should be no problem having office accept those certificates as valid once added to the Trusted Publisher list so i am not sure that what your are saying is correct.

    As stated, the issuer is added to the trusted root authority store and doing so, the certificate should be trusted. Adding it to the Trusted Publisher list should tell Office that the publisher ( me ) is trustworthy. The add-in is never going to be used out of the intranet environment.

    Can you explain to me why only a "purchased" certificate is accepted?

    Thanks,

    Evert

    Tuesday, May 12, 2015 10:53 AM
  • Hi everttimmer,

    The self-signed certificate is OK.

    Do you sign the ClickOnce manifests by these steps below?

    1. Right click the project in VS and select Properties
    2. Click Signing section
    3. Check Sign the ClickOnce manifests
    4. Click select form file/Create test certificate

    Regards

    Starain


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, May 13, 2015 6:25 AM
    Moderator
  • Hi Starain,

    Thanks for replying!

    I signed both the clickonce manifest and the project output (the add-in dll) with the same certificate which is the certificate i have imported into the trusted publishers store.

    Some observations:

    The publisher name does not show up in excel under "Inactive add-ins"

    Certificate(s) intended purpuses are "all" instead of "code-signing" which i see with other code signing certificates.

    I use sha256 for signature algorithm. could that cause problems?

    Regards,
    Evert

    Wednesday, May 13, 2015 7:32 AM
  • Another observation:

    When i publish the add-in, it creates a setup.exe, together with the vsto and an "application files" folder. When i run Setup.exe on the client, it comes up with a dialog asking me if i want to install the customization. It also says the publisher is "Unknown Publisher".

    It does have a <publisherIdentity> tag in the vsto...

    It looks like the installer cannot, for any reason, find the certificate in the store with the provided information from the vsto... This also explains why debugging from the IDE has the same problem because the vsto is then also used to register the add-in..

    Evert

    Wednesday, May 13, 2015 7:45 AM
  • Hi Starain,

    I did some additional checking.

    The signing tab of VS only creates a strong-named assembly. Does the assembly still needs to be digitally signed using the certificate with signtool after that?

    Verifying the published output, i noticed that the addin assembly is strong-named but not digitally signed.

    Regards,
    Evert

    Wednesday, May 13, 2015 8:09 AM
  • Hi Evert,

    In general, we don’t need to resign the manifests. If we want to modify the manifest or use other certificate file, we need to resign it.

    # Specifying a Product Name, Publisher Name and other properties for VSTO solutions

    http://blogs.msdn.com/b/vsto/archive/2008/06/11/specify-a-product-name-publisher-name-and-other-properties-for-vsto-solutions-saurabh-bhatia.aspx

    For publisher issue, there is a similar thread.

    # Setting the publisher name of a VSTO 3.0 Add In

    https://social.msdn.microsoft.com/Forums/vstudio/en-US/a4339fed-33a2-4606-96d0-a1d6e8ccaa58/setting-the-publisher-name-of-a-vsto-30-add-in?forum=vsto

    Regards

    Starain


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, May 14, 2015 6:31 AM
    Moderator