Test Certificate Signing problem
Hi,
I have created a test certificate using VS 2005 and installed it in the Trusted Root Certification Authorities and Trusted Publishers. I have set my manifests to be signed by this certificate. Then I am publishing it into an intranet zone ie http://<machinename>/<appname>
When i try to download the application from the same machine, I get a "The publisher could not be verified" prompt, and the publisher name is coming as "Unkown Publisher". Is this a bug, because I have the certificate installed on the same machine, even if I get the prompt why am I getting an "Unkown Publisher" as the publisher name?
Thanks,
Kunal
Just to add to this, I got a free certificate from Ascertia and installed it in the Trusted Publishers and Trusted Root CA and signed my application using it. But still I am getting an Unkown Publisher text in the Publisher name. Can someone please help on this? Am I missing some step?
Thanks,
Kunal
Can you check the Enhanced Key Usage (EKU) field on the certificate. The EKU must be Code Signing(1.3.6.1.5.5.7.3.3) or the certificate should not have an EKU property at all. If the certificate has an EKU property and it is anything other than code signing for example, Client Authentication (1.3.6.1.5.5.7.3.2) ClickOnce does not consider this to be a valid certificate and will display Unknow Publisher in the TrustManager dialog.Thanks,
Sameer
Does the certificate chain up to Trusted Root. Open the certificate in certmgr and double click on the certificate. In the general tab if you get an icon with a red cross and a warning "The CA certificate is not trusted...." it means that the certificate does not chain up to a trusted root. In that case you need to add the Ascertia root certificate to the Trusted Root, assuming that you trust Ascetia CA :-)
Can you send me the link where you obtained the Acertia Code Signing cert from. I will obtain a cert and test this with our latest builds.
Thanks,
Sameer
Hi Sameer,
The certificate is in the Trusted root section and there is no red cross or warning.
To get a free certificate from ascertia, you can register at
http://www.ascertia.com/onlineCA/Issuer/default.aspx?action=login
After that you can request a certificate from
">http://www.ascertia.com/onlineCA/Issuer/CerReq.aspx?email=<the email id with which you registered>
If you could try it out that would be a great help.
Note that the certificate does not become valid as soon as you install it. You will have to reboot the system once after installing the certificate. If you dont do that the certificate says that it has either expired or is not yet valid. If you restart it, then the cert becomes ok.
Thanks,
Kunal
[Edit] Just came to know from Mark that the Beta 2 came out in Feb, so I still have Beta 1 though it says as Beta 2.
I have tried to use the Free certificate you suggested and find no problem. When I get the certificate, I use the following setting:
1. Code Signing Certificate
2. Microsoft Enhanced Crytographic Provider v1.0
3. Key usage: Both
4. Size: 1024 bit
And I install the certificate by the link of the website. After reboot, checking the certificate by certmgr.exe several times, it is then activated. Then I use the cert in VS 2005 "Select from store" button.
Hope that help.
Yes, its working for me now also, it was a beta 1 bug, i had beta 1 but the start menu programs showed it as Beta 2 which was the culprit. i had added an edit note in my last post to clarify that I was working on beta 1
