 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / January 2006ClickOnce and Certificate
I am looking into deploying a ClickOnce application and am reading all these things about how you need a certificate to make ClickOnce work. After looking around, I found that I can use a utility called MakeCert.exe to make my own certificate but then the documentation says that the certification created with this utility is for testing purpose and should not be used for commercial purpose because I think it won't work. So what am I supposed to do? Is my only option to go and pay for the certificate? What if I don't care that my user see the *danger don't install software from unknown publishers or you will die* message when they install our software? What are my options? Thanks Hi, well - you should care! As developers it is our responsibility to keep the number of times a user is presented with these security dialogs as low as possible. You want that a client is running your code - then establish some kind of trust relationship. Thats for the philosophical part. Technically - execution of ClickOnce app without manifests signed by a trusted publisher can be administratively disabled - which would render your app inoperational. Thats a company policy thing - like disabling cookies or javascript - and btw - my recommendation to every IT guy i talk to. To get a cert for ClickOnce you have 3 options basically 1: makecert: only for testing purposes 2: Windows CA (comes with Windows Server) 3: a commercial one 1 is OK for test purposes. 2 is fine for internal apps and extranet scenarios (or you have to go through the process that your clients must trust your internal CA) 3 is the easiest if your software will get used by clients which don't have a trust relationship to your CA - external clients. So you need a code signing cert every 12 months - which isn't too bad and btw - ClickOnce supports time stamping servers - which means your signed manifests don't expire when you cert expires and you *don't* have to re-sign your apps every 12 months.. You just have to use the new cert for new signatures. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > I am looking into deploying a ClickOnce application and am reading all > these things about how you need a certificate to make ClickOnce work. [quoted text clipped - 11 lines] > > Thanks But the certification cost almost $400 dollars a year!! I don't mind paying more that that for something that I believe is worth it but $400 for a certificate that takes the company probably no more than 5 minutes to issue seems to me le a huge rip off!! > Hi, > well - you should care! [quoted text clipped - 49 lines] >> >> Thanks Hi, well you can use makecert or an internal CA... but if your primary goal is to make this trust dialog go away - you will need some certificate that your clients trust as well... --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > But the certification cost almost $400 dollars a year!! I don't mind > paying more that that for something that I believe is worth it but [quoted text clipped - 52 lines] >>> >>> Thanks Hi, btw - i wrote 2 short articles on my blog about ClickOnce... http://www.leastprivilege.com/CentrallyConfigureClickOnceTrustManager.aspx http://www.leastprivilege.com/AutomaticDistributionOfAuthenticodeCertificates.aspx --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > But the certification cost almost $400 dollars a year!! I don't mind > paying more that that for something that I believe is worth it but [quoted text clipped - 52 lines] >>> >>> Thanks oops - and this http://www.leastprivilege.com/W2K3CAAndCodeSigningCertificates.aspx --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > But the certification cost almost $400 dollars a year!! I don't mind > paying more that that for something that I believe is worth it but [quoted text clipped - 52 lines] >>> >>> Thanks > But the certification cost almost $400 dollars a year!! There are some commercial CAs that offer code signing certificates for considerably lower cost. If you're shopping around for alternate CAs, the list of trusted CAs that can be displayed from your Internet Explorer options dialog isn't a bad place to start... > I don't mind paying more that that for something that I believe is worth > it but $400 for a certificate that takes the company probably no more than > 5 minutes to issue seems to me le a huge rip off!! CAs do more than just issue certificates. Besides validating that purchasers are indeed who they claim to be (which usually takes more than 5 minutes <g>), they are also responsible for things like maintaining accurate and accessible certificate revocation lists (which must remain accessible for rapid download even under very heavy demand) and handling complaints from consumers of issued certificates. None of this is particularly cheap and, while I'd agree that 400$/yr is probably a bit over the top, the prices offered by some of the CAs do seem relatively reasonable to me. >> Hi, >> well - you should care! [quoted text clipped - 49 lines] >>> >>> Thanks Thank you all. I found a company offering certificates for $79 dollars a year. I still think this is too much, I was thinking that $25 bucks would be fair, anyone know of a cheaper company than the one found on he link below? http://www.instantssl.com/ Thank you. > But the certification cost almost $400 dollars a year!! I don't mind > paying more that that for something that I believe is worth it but $400 [quoted text clipped - 54 lines] >>> >>> Thanks I think you need code signing, so that would be their $99 option. You can't use a standard SSL cert for code signing. However, $99 is still pretty cheap. It obviously is more than you want to pay, but low by the going rate. Remember too that if you can distribute trusted roots to your clients, you can create your own certificates for free. The public CA mainly gives you the pre-installed trusted root. Joe K. > Thank you all. I found a company offering certificates for $79 dollars a > year. I still think this is too much, I was thinking that $25 bucks would [quoted text clipped - 63 lines] >>>> >>>> Thanks Damn, I am still kind of confused with this certificates thing: Is the "code signing" certificate to make sure people don't tamper my files and the "SSL certificate" to make sure that the communication between my site and the people logging on is encrypted and that the key use to encrypt the information is really my key? Also, what would happen if I post my ClickOnce files to an Internet server and the files where singed with the temporary certificate issued by Visual Studio (pfx). Will my user not be able to download them or are they just going to see a warning message? >I think you need code signing, so that would be their $99 option. You >can't use a standard SSL cert for code signing. [quoted text clipped - 75 lines] >>>>> >>>>> Thanks Hi, "Code Signing", "Server Authentication" intended purposes etc are just strings emebedded in the cert - for ClickOnce you need a cert with the purpose of "Code Signing". Technically they are all the same. With the default settings users will get a warning. They will be able to download it. But as i said, these are just the defaults. I recommend changing them to every company is speak to. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > Damn, I am still kind of confused with this certificates thing: > [quoted text clipped - 87 lines] >>>>>> >>>>>> Thanks Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.