VSTO AddIn “Trusted Publisher” info certificate (Azure KeyVault) requirement

Question

VSTO AddIn “Trusted Publisher” info certificate (Azure KeyVault) requirement

Rakesh Khullar 5

our primary goal is to ensure our Office Add-ins display “Your Company” as the verified publisher within the Office Trust Center, rather than showing “None” or “Unknown Publisher.”

We have Azure Key Vault-store certificate with following

Could you clarify the exact certificate requirements for achieving “Trusted Publisher” status? We have attempted to sign the manifest using signtool and azuresigntool without success.

Some details:

Certificate Export Process: The certificate is retrieved as an X509Certificate2 object that includes the public certificate. Only the signing certificate is directly retrieved from Key Vault The full certificate chain is not exported
Signing Command: sign code azure-keyvault –azure-key-vault-url “https://mycompany.vault.azure.net/” –azure-key-vault-certificate “CodeSigningCert” –azure-credential-type “ManagedIdentity” –managed-identity-client-id “2a3xxxxx-xxxx-xxxx-xxxx-xxxxxxxxx” –application-name “Quark Publishing Platform Adapter for Microsoft Office” –publisher-name “Quark Software Inc” –description “Quark Publishing Platform Adapter for Microsoft Office” –description-url “https://www.quark.com” –timestamp-url “[http://timestamp.digicert.com]” “path/to/Quark.CMSAdapters.Office.Word.vsto”
Certificate Chain Verification: PS C:\Windows\System32> Get-AuthenticodeSignature C:\Publish\Quark.CMSAdapters.Office.Word.vsto | Format-List *

SignerCertificate : TimeStamperCertificate : Status : UnknownError StatusMessage : The form specified for the subject is not one supported or known by the specified trust provider. Path : C:\Publish\Quark.CMSAdapters.Office.Word.vsto SignatureType : None IsOSBinary : False

Manifest Signing: Yes Sign CLI does sign both VSTO and manifests:

Please let me know if any further info is needed?

Certificate Export Process: The certificate is retrieved as an X509Certificate2 object that includes the public certificate. Only the signing certificate is directly retrieved from Key Vault
The full certificate chain is not exported

Signing Command:
sign code azure-keyvault
–azure-key-vault-url “https://mycompany.vault.azure.net/”
–azure-key-vault-certificate “CodeSigningCert”
–azure-credential-type “ManagedIdentity”
–managed-identity-client-id “2a3xxxxx-xxxx-xxxx-xxxx-xxxxxxxxx”
–application-name “Quark Publishing Platform Adapter for Microsoft Office”
–publisher-name “Quark Software Inc”
–description “Quark Publishing Platform Adapter for Microsoft Office”
–description-url “https://www.quark.com”
–timestamp-url “[http://timestamp.digicert.com]”
“path/to/Quark.CMSAdapters.Office.Word.vsto”

Certificate Chain Verification:
PS C:\Windows\System32> Get-AuthenticodeSignature C:\Publish\Quark.CMSAdapters.Office.Word.vsto | Format-List *

SignerCertificate :
TimeStamperCertificate :
Status : UnknownError
StatusMessage : The form specified for the subject is not one supported or known by the specified trust
provider.
Path : C:\Publish\Quark.CMSAdapters.Office.Word.vsto
SignatureType : None
IsOSBinary : False

Manifest Signing: Yes Sign CLI does sign both VSTO and manifests:

Please let me know if any further info is needed?

Specifically, can Azure Key Vault-stored certificates be used for this purpose?

Moved from Microsoft 365 and Office | Word | Other | Windows

Leonardo Mariano Côco 155 Reputation points

2026-01-16T01:24:12.4766667+00:00
Hi Rakesh — for VSTO the “Publisher” field in Office isn’t pulled from Key Vault metadata. It only shows your company when the ClickOnce/VSTO deployment is actually signed and Windows can build a trusted certificate chain for that signer.

A few things jump out from what you posted:

Your PowerShell output shows HasPrivateKey = False for the cert in CurrentUser\My. That usually means you imported a .cer (public key only). You can’t produce a valid VSTO/ClickOnce signature without access to the private key (either via a PFX installed on the build machine, or a signing provider the tooling supports).

For VSTO, signing is typically done with Mage.exe / MageUI (ClickOnce manifest signing). signtool alone won’t reliably make the VSTO manifests show a Publisher in Trust Center if the manifests aren’t signed the way ClickOnce expects.

Even if you sign correctly, clients will still show “Unknown/None” unless the signing cert chains to a trusted root + intermediates on that machine. In many environments you also need to add the signer cert to Trusted Publishers (and sometimes Trusted People) on the client.

So the “requirements” in plain terms are:

A Code Signing certificate (EKU 1.3.6.1.5.5.7.3.3), issued by a CA that the client trusts.

The signing process must sign the VSTO/ClickOnce manifests (Mage), not only the binaries.

The signing cert must be usable for signing (private key available to the signing tool), and the chain must be resolvable on the client.

About Azure Key Vault: storing the cert there is fine, but it only helps if your signing tool can sign ClickOnce/VSTO manifests using Key Vault’s key (many setups still end up needing a PFX/private key available to Mage). If you can’t export a PFX from KV, that’s usually the blocker.

If you share how you’re producing the VSTO publish artifacts (Visual Studio publish vs Mage) and whether your Key Vault cert is exportable, I can suggest the most workable signing path for your setup.Hi Rakesh — for VSTO the “Publisher” field in Office isn’t pulled from Key Vault metadata. It only shows your company when the ClickOnce/VSTO deployment is actually signed and Windows can build a trusted certificate chain for that signer.

A few things jump out from what you posted:

Your PowerShell output shows HasPrivateKey = False for the cert in CurrentUser\My. That usually means you imported a .cer (public key only). You can’t produce a valid VSTO/ClickOnce signature without access to the private key (either via a PFX installed on the build machine, or a signing provider the tooling supports).

For VSTO, signing is typically done with Mage.exe / MageUI (ClickOnce manifest signing). signtool alone won’t reliably make the VSTO manifests show a Publisher in Trust Center if the manifests aren’t signed the way ClickOnce expects.

Even if you sign correctly, clients will still show “Unknown/None” unless the signing cert chains to a trusted root + intermediates on that machine. In many environments you also need to add the signer cert to Trusted Publishers (and sometimes Trusted People) on the client.

So the “requirements” in plain terms are:

A Code Signing certificate (EKU 1.3.6.1.5.5.7.3.3), issued by a CA that the client trusts.

The signing process must sign the VSTO/ClickOnce manifests (Mage), not only the binaries.

The signing cert must be usable for signing (private key available to the signing tool), and the chain must be resolvable on the client.

About Azure Key Vault: storing the cert there is fine, but it only helps if your signing tool can sign ClickOnce/VSTO manifests using Key Vault’s key (many setups still end up needing a PFX/private key available to Mage). If you can’t export a PFX from KV, that’s usually the blocker.

If you share how you’re producing the VSTO publish artifacts (Visual Studio publish vs Mage) and whether your Key Vault cert is exportable, I can suggest the most workable signing path for your setup.
JuliaMarvin 17,790 Reputation points Volunteer Moderator

2026-01-16T09:33:46.7466667+00:00

Moderator note

@Leonardo Mariano Côco

Your willingness to help in Microsoft Q&A is appreciated, however please refrain from simply copying and pasting AI generated content.

Users are capable of asking copilot or other AI services themselves, most ask here because they want help from a real person with some experience.

Please read AI usage policy for Microsoft Q&A as well as Microsoft Q&A Code of Conduct

1 answer

Your answer

JuliaMarvin 17,790 Reputation points Volunteer Moderator

2026-01-16T09:33:46.7466667+00:00

Moderator note

@Leonardo Mariano Côco

Your willingness to help in Microsoft Q&A is appreciated, however please refrain from simply copying and pasting AI generated content.

Users are capable of asking copilot or other AI services themselves, most ask here because they want help from a real person with some experience.

Please read AI usage policy for Microsoft Q&A as well as Microsoft Q&A Code of Conduct

Answer 1

Thanks for looking into this:

We have cloud-based code signing solution and DigiCert EV Code Signing Certificate issued by Digicert.

This is stored in our Azure subscription under keyvault resource (attached screenshot). When we download certificate only public cert is downloaded without any private key.

Some details:

Not able to sign VSTO Addin using Sign tool/Mage/AzureSignTool exe!

AzureSignToolError

However, was able to sign Addin using tool at: GitHub - dotnet/sign: Code Signing CLI tool supporting Authenticode, NuGet, VSIX, and ClickOnce (https://github.com/dotnet/sign)

Let me know if any further information required on this.

AzureKeyVault

Thanks and Regards,

Rakesh Khullar

Share via

VSTO AddIn “Trusted Publisher” info certificate (Azure KeyVault) requirement

1 answer

Your answer