I have a ClickOnce application code-signed with a code signing certificate
from Thawte. When a user (running IE on WinXP SP2) tries to run the app, if
they click the Publisher hyperlink a warning is shown in the "Certificate"
dialog with the warning "Windows does not have enough information to verify
this certificate". Selecting the "Certification Path" tab shows a status of
"The issuer of this certificate could not be found".

Now, I am sure this is down to the fact that our certificate is not signed
by Thawte's root certificate, but by their intermediary "Code Signing CA"
certificate, which is not installed on the client. If a user tries to run the
app. from a machine with this intermediate certificate installed, there are
no warnings and everything is great, with a full chain of trust shown in the
"Certification Path" tab. My question is this: how can I sign the app so that
this intermediate certifcate is included so users do not see a warning (which
renders the whole code-signing process pretty redundant)?

When I created the ".pfx" file that is used for the signing (by exporting
from my machine's Certificate Store), I chose the option to "Include all
certificates in the certification path if possible", but this obviously
hasn't worked. I am new to this whole code signing lark, so it is entirely
possible I have made some newbie error with this, but I have followed all the
instructions I have found.

I would really appreciate any help on this,

Thanks

(note I posted this question in dotnet.distributed_apps, but got no reply,
so am trying again here in case that was the wrong group to post this
question in).