How to create and use a Code Signing Certificate for ClickOnce VSTO applications using Active Directory Certificate Services 5/5 (1)

When deploying a VSTO project within an enterprise, you can use an internally created certificate to avoid the “Unknown Publisher” prompt when deploying (you’ll get this if you attempt to deploy using the test certificate that is automatically created by Visual Studio).  This guide takes you through the entire process.  Note that the first two parts need to be completed by a domain admin, and should only need to be done once (though you can add permissions for further users as needed). The process isn’t restricted to VSTO applications, it should work for all ClickOnce deployments.

Enable the Code Signing Certificate Template

  1. On the appropriate server (e.g. the CA root), open Certificate Services Manager.
  2. In the left pane, select Certificate Templates.
  3. Check for a Code Signing template – by default, this isn’t available.  If it isn’t, add it:
    1. From Action menu, select New -> Certificate Template to Issue.
    2. Select Code Signing, then click OK.

 Grant Permissions for User(s) to Create Code Signing Certificates

  1. From the Certificate Services Manager, right click Certificate Templates and select Manage.
  2. From the list of templates, right-click Code Signing and select Properties.
  3. Select the Security tab.
  4. Any users that should be allowed to create code signing certificates need to be granted Read and Enroll permissions, so add users and permissions as necessary.
  5. Apply changes.

Create a Code Signing Certificate

  1. On the development machine (logged in as a user who has been granted permissions to create a code signing certificate), open Microsoft Management Console.
  2. From File menu, select Add/Remove Snap-in…
  3. From Available snap-ins, select Certificates and then click Add.
  4. Select My user account, and then click Finish.
  5. OK out of the Add/Remove snap-in window.
  6. You will now see Certificates listed in the console view on the left.  Right-click Personal, select All Tasks, then Request New Certificate.
  7. Click Next on the first screen (Before You Begin).
  8. Click Next on the Select Certificate Enrolment Policy screen (Active Directory Enrolment Policy will be applied).
  9. In the Request Certificates screen, tick Code Signing, and then click Enrol.  A certificate will be created and placed in the user’s Personal store.

Sign the ClickOnce manifests

  1. In Visual Studio, open the project properties.
  2. Select Signing from the options on the left.
  3. Tick Sign the ClickOnce manifests (ignore if already ticked).
  4. Click Select from Store… and choose the certificate to use (which will be the one just created).
  5. You can now publish the project, and the AD certificate will be used to sign it – which should prevent errors when the add-in is installed within the domain (and anywhere else that the domain root CA is trusted).

Please rate this

6 thoughts on “How to create and use a Code Signing Certificate for ClickOnce VSTO applications using Active Directory Certificate Services

    1. This article was written a long time ago and so some of the steps may have changed slightly. Feel free to leave any such changes in the comments and I can incorporate them into the article.

        1. If you can let me know what doesn’t work, and more importantly what versions of software you are using (e.g. Visual Studio, Windows) then I’ll update the guide when I have a chance to test.

    1. Windows SmartScreen won’t automatically permit an application just because it is signed. It uses heuristics and other information to try to identify an application, and if it fails it will show a warning.


Leave a Reply

Your email address will not be published. Required fields are marked *