Expired certificates in the clickonce manifest.
Wally
certificate expiration date older than the current date. If I create or use a
newer certificate I have to uninstall the app and reinstall. Is there a way
to fix an expired certificate without uninstalling?
Linda Liu [MSFT]
By default, a certificate issued by a Certificate Authorities(CA) is only
valid for 12 months. Typically, certificate expiration would mean that you
need to resign your ClickOnce application every 12 months. Authenticode
mitigates the need for this with support for time-stamping.
The Timestamp Server URL feature allows you to supply a service that will
time stamp your manifest during the publishing process.
When you sign a ClickOnce deployment using a certificate, ClickOnce records
the date and time of the signing and embeds it in the deployment's digital
signature. So long as the deployment was signed when the certificate was
still valid, ClickOnce will allow the application to run even if the
certificate has since expired.
As for the time stamp service, Verisign, Inc. is an example of a CA that
provides this kind of service. You may use the following Timestamp server
URL:
http://timestamp.verisign.com/scripts/timstamp.dll
Alternatively, you may create a command-line assembly that updates the
certificate. A KB article has provided sample code for this. You may read
the KB article from the link below:
http://support.microsoft.com/kb/925521
Hope this helps.
Sincerely,
Linda Liu
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Linda Liu [MSFT]
How about the problem now?
If you need our further assistance, please feel free to let me know.
Thank you for using our MSDN Managed Newsgroup Support Service!
Linda Liu [MSFT]
How about the problem now?
If you need our further assistance, please feel free to let me know.
Thank you for using our MSDN Managed Newsgroup Support Service!
Sincerely,
Wally
Thanks for your help....
Wally
Linda Liu [MSFT]
Thank you for your feedback on how you solved the problem by yourself.
By the C++ update you have mentioned, do you mean Microsoft Visual C++ 2005
SP1?
Wally
No. Sorry I was referring to the Microsoft Visual C++ Win32 console
application called RenewCert from the
support.microsoft.com/default.aspx/kb/925521 (workaround method 2). Is there
a fix or correction in the SP1 for Visual Studio 2005?
Thanks....
Wally
Linda Liu [MSFT]
Sorry for my delayed reply.
No, Visual Studio 2005 Service Pack 1 doesn't contain the fix of this
problem. For a complete list of bug that are fixed in Visual Studio 2005
Service Pack 1,you may refer to the following article:
'List of bugs that are fixed in Visual Studio 2005 Service Pack 1'
http://support.microsoft.com/?kbid=918526
Hope this helps.
Stefanie Mehl
I have a question with regard to the KnowledgeBase solution:
The solution with the RenewCert is probably only possible with certificates
that you created yourself and not with certificates issued by a Certifcate
Authority, isn't it?
So the problem that you cannot update applications anymore after such a CA
certificate expired remains - you can start them (if they are timestamped)
but you cannot update because you cannot sign with an expired certificate and
the new certificate will have a different keypair.
Is there another way of doing that or are there plans to solve this problem
- e.g. by providing some kind of "handover" manifest where you can connect
the expiring certificate with the new one?
Best regards,
Stefanie
Linda Liu [MSFT]
Yes. The KB article in the linke 'http://support.microsoft.com/kb/925521'
addresses how to renew a certificate created by ourselves.
About the certificate issue by a CA, you may use the time-stamping method.
The Timestamp Server URL feature allows you to supply a service that will
time stamp your manifest during the publishing process.
When you sign a ClickOnce deployment using a certificate, ClickOnce records
the date and time of the signing and embeds it in the deployment's digital
signature. So long as the deployment was signed when the certificate was
still valid, ClickOnce will allow the application to run even if the
certificate has since expired.
As for the time stamp service, Verisign, Inc. is an example of a CA that
provides this kind of service. You may use the following Timestamp server
URL:
http://timestamp.verisign.com/scripts/timstamp.dll
Hope this helps.
Sincerely,
Linda Liu
Microsoft Online Community Support
==================================================
Stefanie Mehl
Hi Linda,
> About the certificate issue by a CA, you may use the time-stamping method.
>
> The Timestamp Server URL feature allows you to supply a service that will
> time stamp your manifest during the publishing process.
>
> When you sign a ClickOnce deployment using a certificate, ClickOnce records
> the date and time of the signing and embeds it in the deployment's digital
> signature. So long as the deployment was signed when the certificate was
> still valid, ClickOnce will allow the application to run even if the
> certificate has since expired.
Yes, that is right, but there is one use case that is not covered by that
scenario and that is the one my question is about:
If you need to deploy an update _after_ the certificate is expired, you have
a problem because you cannot sign the new deployment package with the old
certificate. So I think there should be a way to update the certificate with
the replacement. Otherwise updates via ClickOnce are limited by the
expiration date of the certificate.
Best regards,
Stefanie
Linda Liu [MSFT]
Thank you for your prompt response.
As for signing the new deployment package with the old expired certificate,
it is a question for the issuing certificate authority.
For example here is the link to VeriSign's code signing certificate renewal
page.
https://securitycenter.verisign.com/celp/enroll/outsideSearch?application_lo
cale=VRSN_US&originator=VeriSign:CELP
They should provide you with a new or updated certificate file, then in
Visual Studio you need to use the new file on the Signing page.
Linda Liu [MSFT]
How about the problem now?
If you need our further assistance, please feel free to let me know.
Thank you for using our MSDN Managed Newsgroup Suppor Service!
Stefanie Mehl
I tried to find out more about renewing certificates and what I found out
was that none of the Certificate Authorities I asked is able to renew a
certificate with the same keypair - that means the keypair will most probably
be exchanged whenever a certificate is renewed.
This means that, at the moment, when the certificate expires, it is not
possible to publish updates for a given application after the expiration date
(at least that is the conclusion I come to). This is very inconvenient since
it dictates the end of updates with the expiration of the certificate.
Best regards,
Stefanie
Linda Liu [MSFT]
Thank you for your feedback.
I understand your concern.
It is the basic feature of ClickOnce to sign the ClickOnce deployments by
using a digital certificate. However, if the certificate expires, we cannot
use this certificate to sign the newer version of this ClickOnce
applicaiton.
If the certificate is made by ourselves, we could use the method 2 the KB
article (http://support.microsoft.com/kb/925521) introduces to renew this
certificate. However, if the certificate is issued by a CA, there's no
other way except that the related CA can provide such a 'renew' service.
Nevertheless, we have another choice, i.e. uninstall the ClickOnce
application signed with the expired certificate and install the updated
ClickOnce application that uses the new certificate.
Stefanie Mehl
Thank you very much for your reply. I really hope that the Certificate
Authorities are going to realize that there is a need for that service,
because otherwise I'm afraid that ClickOnce won't be used very often or only
by companies who can issue their own certificates. Updates are often a very
important part of requirement specifications and I don't think that sending
out a completely new deployment package is going to meet that requirement.
Best regards,
Stefanie
Linda Liu [MSFT]
Thank you for your quickly response.
> Updates are often a very important part of requirement specifications and
I don't think that sending out a completely new deployment package is going
to meet that requirement.
In my opinion, a ClickOnce update is a completely new deployment package
that has a newer version. When upgrading via ClickOnce, the previous
version is removed first and then the new version of application is
installed.
When the certificate expires, we can uninstall the previous version of
application manually first and install the new version. It's a little
trivial, but endurable. Do you agree with me?
Linda Liu [MSFT]
Have you seen my latest reply?
If you have any concerns, please feel free to let me know. In addition, you
can submit a suggestion or feedback on this issue in the Microsoft
connection web site:
Thank you using our MSDN Managed Newsgroup Support Service!
Walter Wang [MSFT]
Thanks for your update.
Linda has discussed with me about your question (also after consulting your
question within our internal discussion list). We understand that your
current CA cannot provide certificates renew services for you, therefore
your Clickonce application's update scenario is not working well since it
will require your end-user to uninstall previous package and re-install.
You're wondering if there's any other workaround from the Visual Studio
side to make it work. I hope I haven't misunderstood your question.
We tried all our possible resources at hand to consult and research on this
issue, it seems we don't have such workaround at current moment. However,
our product group is very willing to get all kinds of feedback to improve
our products. Your feedback is very important for us. Linda and I will make
sure your opinion about our products are correctly recorded and forwarded
to product group.
I also noticed you're new to MSDN Managed Newsgroup (since June), so I also
want to express our welcome to you. I hope you will find this support
service useful for your project or business in future. If you have any
comments on our support service, website design, our product limitation,
our process, and etc., please don't hesitate to let me know. I will do my
best to follow up.
Regards,
Walter Wang (waw...@online.microsoft.com, remove 'online.')
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
Stefanie Mehl
I just had a look at Visual Studio 2008 and it says that the handling of
expired certificates has been improved, but I could not find out in how far
and what I have to do to make use of these improvements - is there any
further documentation I missed?
Best regards,
Stefanie
Linda Liu[MSFT]
This is a quick note to let you know that I'm performing research on this
issue. As soon as I get an answer, I will get it back to you.
I appreciate your patience!
Best Regards,
Linda Liu[MSFT]
I have spent several hours trying to find documentation about the
improvement of the handling of expired certificates. But unfortunately, I
didn't find any.
Perhaps the documentation on what to do to make use of these improvement
hasn't been written or published.
Let's keep an eye on this issue. If I get it later, I will inform you in
time.
Thank you for your understanding!
Sincerely,