How to create and use a Code Signing Certificate for ClickOnce VSTO applications using Active Directory Certificate Services

When deploying a VSTO project within an enterprise, you can use an internally created certificate to avoid the "Unknown Publisher" prompt when deploying (you'll get this if you attempt to deploy using the test certificate that is automatically created by Visual Studio).  This guide takes you through the entire process.  Note that the first two parts need to be completed by a domain admin, and should only need to be done once (though you can add permissions for further users as needed). The process isn't restricted to VSTO applications, it should work for all ClickOnce deployments.

Enable the Code Signing Certificate Template

  1. On the appropriate server (e.g. the CA root), open Certificate Services Manager.
  2. In the left pane, select Certificate Templates.
  3. Check for a Code Signing template - by default, this isn't available.  If it isn't, add it:
    1. From Action menu, select New -> Certificate Template to Issue.
    2. Select Code Signing, then click OK.

 Grant Permissions for User(s) to Create Code Signing Certificates

  1. From the Certificate Services Manager, right click Certificate Templates and select Manage.
  2. From the list of templates, right-click Code Signing and select Properties.
  3. Select the Security tab.
  4. Any users that should be allowed to create code signing certificates need to be granted Read and Enroll permissions, so add users and permissions as necessary.
  5. Apply changes.

Create a Code Signing Certificate

  1. On the development machine (logged in as a user who has been granted permissions to create a code signing certificate), open Microsoft Management Console.
  2. From File menu, select Add/Remove Snap-in…
  3. From Available snap-ins, select Certificates and then click Add.
  4. Select My user account, and then click Finish.
  5. OK out of the Add/Remove snap-in window.
  6. You will now see Certificates listed in the console view on the left.  Right-click Personal, select All Tasks, then Request New Certificate.
  7. Click Next on the first screen (Before You Begin).
  8. Click Next on the Select Certificate Enrolment Policy screen (Active Directory Enrolment Policy will be applied).
  9. In the Request Certificates screen, tick Code Signing, and then click Enrol.  A certificate will be created and placed in the user’s Personal store.

Sign the ClickOnce manifests

  1. In Visual Studio, open the project properties.
  2. Select Signing from the options on the left.
  3. Tick Sign the ClickOnce manifests (ignore if already ticked).
  4. Click Select from Store… and choose the certificate to use (which will be the one just created).
  5. You can now publish the project, and the AD certificate will be used to sign it – which should prevent errors when the add-in is installed within the domain (and anywhere else that the domain root CA is trusted).
Comments (6)

  1. Rich says:

    This document was exactly what I needed!  Thank you! Is there a way to extend the expiration beyond the 1-year default?

  2. Allen says:

    Where is Certificate Services Manager?

    I cannot find it in Windows Server 2012.

  3. Certification Authority, from Tools in the Server Manager.

  4. Thomas says:

    will this certificate also work for installation package created by install shield?

  5. Bill says:

    We have been struggling with this. When in comes to the last step, there are no certificates available in the store. What are we missing?

  6. Joe says:

    In my environment we actually had to reboot the developer laptops before the template would show up in the Request Certificate screen. Gpupdate /force wouldn’t even get it to show up, had to do a reboot. Other than that these directions were perfect.

Skip to main content