ClickOnce Cert Expired Issue Solved By RenewCert of May.be

Posted on by

Yesterday, I went to publish a new version of our clickonce application, when I was greeted by a message that Visual Studio wasn’t going to let me publish, because our certification had expired. Oh no.

We’d often talked about getting a real certification and not using the temporary one, but we never saw the real benefit, and now in hindsight, I’m really glad we did not.

So, here’s the problem:

After your first clickonce publish, Visual Studio creates a certification key file, and stores it in your project as “ProjectName_TemporaryKey.pfx”. As far as I can tell, this is used only to sign the manifest it’s never sent to the client. The only visible downside is when installing the application, it warns that it’s an unknown publisher. This temporarykey, like actual keys are good for one year from the issue date.

Once that year is up, you can’t publish anymore. If you change certs, your updates no longer work (The deployment identity does not match the subscription. ) and everyone has to reinstall the application. It seems that Microsoft acknowledges that this was by design but it was bad design, and I believe it’s much better in VS 2008.

So panic sets in, we talk about abandoning clickonce, how to get these updates to people in the mean time. We found a knowledge base article, which offers two work arounds. http://support.microsoft.com/kb/925521

The first work around is out of the question, if we do that, we get rid of clickonce for good.

The second work around, sounds confusing and I feel like we get one shot, if that doesn’t work the project is gone.

Then, I find my new favorite website: http://www.may.be/renewcert/, A wonderful person, Cliff Stanford, seems to have encountered this problem, and took Microsoft’s Workaround #2 and made it better and offered some real help.

I downloaded his version of renewcert, and tried it on one of my temporarykeys. I used the following command at first: renewcert MyProject_TemporaryKey.pfx MyProject_FiveYearKey.pfx CN=”My Company” super_dooper_password

It failed.

I got the following error:

PFXImportCertStore failed with error 0×56: The specified network password is not correct.

I didn’t see any mention of this on Cliff’s site so I started to get worried again. Decided to try again, this time, I looked at how the temporarykey was issued.

renewcert MyProject_TemporaryKey.pfx MyProject_FiveYearKey.pfx CN=”MYDOMAIN\MYUSERNAME” super_dooper_password

I had no clue what to use as password, my current domain password? The one from a year ago? I did some googling and found that when VS creates these certs, it doesn’t use a password, so I left it off:

renewcert MyProject_TemporaryKey.pfx MyProject_FiveYearKey.pfx CN=”MYDOMAIN\MYUSERNAME”

It worked! I went into VS, went to the Signing Tab in the project properties, did “Select From File”, picked my new fiveyear cert. It added it to the project for me, and extened my expiration date to 2013!

IF we would have used a real certification, I think we would have been in trouble. You would need your certification agency to issue you a new cert every year, but it would have to use the same key. This isn’t something they do often.

So, we’re going to keep on keeping on, and migrate off of ClickOnce eventually, but atleast we were bought some time. I’m suprised this issue only cost me about an hour of my time, and a little worrying.

Thank you Cliff Stanford of may.be

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>