How to: Create Your Own Test Certificate
Retired Content |
---|
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. |
Although signing a deployment was made optional in the .NET Framework 3.5 SP1, it is still a best practice for security reasons. To sign your deployment, you must have a code-signing certificate. You can either create your own test certificate or obtain a certificate from a root certificate authority (CA)—typically, a vendor or your server support team. When you have a certificate from a CA, it displays the publisher in the installation dialogs, which makes your application appear more trustworthy. If you use a test (self-created) certificate, the installation dialogs will display an "Unknown publisher" message. For applications deployed internally in an organization, this is an acceptable practice.
To create a test certificate in Visual Studio
- Open your main project’s property pages and click the Signing tab.
- Click Create Test Certificate.
Visual Studio will create the certificate, and add it to your project (the certificate will have a name similar to MyApp_Temporary.pfx). Visual Studio will also add the certificate to the certificate store on your computer.
If you use this method on multiple applications, you will find that they all look the same in the certificate store on your computer, as shown in Figure 1.
Figure 1
Certificate store
If you use Mage to redeploy an application, Mage will ask for the certificate when you sign the deployment. One option is to browse to it in Windows Explorer, but this gets tiresome if you have to do it repeatedly. A second option is to select it from the certificate store. However, if you have several with the same name, you will not know which one to select.
Rather than creating a test certificate with Visual Studio, you can create one using the tools that came with Visual Studio and define the name yourself. Then you can use this same certificate to sign one or more deployments. If you use Mage to sign the application, you can easily select your certificate from the certificate store on your computer rather than browsing to it.
Creating and naming a test certificate is optional, but it can make publishing and signing your deployments easier in the long run. This section explains how to create the test certificate. The next section explains how to use the test certificate to sign your deployment.
To create a test certificate
Find the Makecert.exe and Pvk2pfx.exe files.
If you are using Visual Studio 2010, the files are in the following folder:
C:\Program Files\Microsoft SDKs\Windows\v7.0A\bin\
If you are using Visual Studio 2008, the files are in the following folder:
C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin\
Copy the files to another folder, such as C:\MakeCert\, so that you can easily find them via a Command Prompt window.
Open a Command Prompt window and go to the folder.
You need to create a certificate and a private key file, and then convert those files into a .pfx file that can be used by Visual Studio. Use the following command to create the certificate and the private key file:
makecert -sv yourprivatekeyfile.pvk -n "cert name" yourcertfile.cer -b mm/dd/yyyy -e mm/dd/yyyy -r
where:
- -sv yourprivatekeyfile.pvk is the name of the file containing the private key.
- -n "cert name" is the name that will appear on the certificate (and in the certificate store).
- yourcertfile.cer is the name of the certificate file.
- -b mm/dd/yyyy is the date when the certificate becomes valid.
- -e mm/dd/yyyy is the date when the certificate expires.
- -r indicates that this will be a self-signed certificate.
Figure 2 is an example of the command.
Figure 2
Making a certificate file
This example creates a certificate that is valid from 4/1/2010 through 4/1/2011. You can create one that lasts longer than this, but it is not advisable because the certificate cannot be revoked. For more information about certificate revocation, see Certificate Revocation and Status Checking on Microsoft TechNet.
After you enter the command, you will be prompted to set the password for the private key file, as shown in Figure 3.
Figure 3
Setting the password for the private key file
This step creates a .pvk file that contains the private key information.
You will be prompted to enter the password to sign the actual certificate (.cer) file, as shown in Figure 4.
Figure 4
Entering the password for the private key file
Next, you have to create the .pfx file that you will use to sign your deployments. Open a Command Prompt window, and type the following command:
PVK2PFX –pvk yourprivatekeyfile.pvk –spc yourcertfile.cer –pfx yourpfxfile.pfx –po yourpfxpassword
where:
- -pvk yourprivatekeyfile.pvk is the private key file that you created in step 4.
- -spc yourcertfile.cer is the certificate file you created in step 4.
- -pfx yourpfxfile.pfx is the name of the .pfx file that will be created.
- -po yourpfxpassword is the password that you want to assign to the .pfx file. You will be prompted for this password when you add the .pfx file to a project in Visual Studio for the first time.
Figure 5 illustrates the commands described in steps 4 and 7, and the resulting files. When you create the .pfx file, you will be prompted again for the password to the private key file.
Figure 5
Making a .pfx file out of the certificate and private key files
Your .pfx file is now ready to use to sign your deployments. For procedures, see the section How to: Set the Basic ClickOnce Publishing Properties.
In Windows Explorer, find the folder in which you created the .pfx file. Double-click the file. This will start the import wizard. Accept the defaults and import your certificate into the store. It will be placed under Certificates – Current User in the Personal folder.
To access your certificate store, click the Start button, type certmgr.msc in the search box, and then press Enter. You can see the SCSFTest example certificate in Figure 6.
Figure 6
SCSF Test certificate example in the certificate store
You will be able to retrieve the certificate from the store when you use the Mage tools.
Note
You can also leave the certificate in the C:\MakeCert folder and retrieve it from there when you use either the Mage tools or the Manifest Management Utility (MMU).