How to: Add a Trusted Publisher to a Client Computer for ClickOnce Applications

With Trusted Application Deployment, you can configure client computers so that your ClickOnce applications run with a higher level of trust without prompting the user. The following procedures show how to use the command-line tool CertMgr.exe to add a publisher's certificate to the Trusted Publishers store on a client computer.

The commands you use vary slightly depending on whether the certificate authority (CA) that issued your certificate is part of a client's trusted root. If a Windows client computer is part of a domain, it will contain, in a list, CAs that are considered trusted roots. This list is usually configured by the system administrator. If your certificate was issued by one of these trusted roots, or by a CA that chains to one of these trusted roots, you can add the certificate to the client's trusted root store. If, on the other hand, your certificate was not issued by one of these trusted roots, you must add the certificate to both the client's Trusted Root store and Trusted Publisher store.

Note:
You must add certificates this way on every client computer to which you plan to deploy a ClickOnce application that requires elevated permissions. You add the certificates either manually or through an application you deploy to your clients. You only need to configure these computers once, after which you can deploy any number of ClickOnce applications signed with the same certificate.

You may also add a certificate to a store programmatically using the X509Store class.

For an overview of Trusted Application Deployment, see Trusted Application Deployment Overview.

To add a certificate to the Trusted Publishers store under the trusted root

1. Obtain a digital certificate from a CA.

2. Export the certificate into the Base64 X.509 (.cer) format. For more information about certificate formats, see Importing and Exporting Certificates at http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_CMimportExport.asp.

3. From the command prompt on client computers, run the following command:

   certmgr.exe -add certificate.cer -c -s -r localMachine TrustedPublisher

To add a certificate to the Trusted Publishers store under a different root

1. Obtain a digital certificate from a CA.

2. Export the certificate into the Base64 X.509 (.cer) format. For more information about certificate formats, see Importing and Exporting Certificates at http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_CMimportExport.asp.

3. From the command prompt on client computers, run the following command:

   certmgr.exe -add good.cer -c -s -r localMachine Root

   certmgr.exe -add good.cer -c -s -r localMachine TrustedPublisher

See Also

Tasks

Walkthrough: Manually Deploying a ClickOnce Application

Concepts

Trusted Application Deployment Overview

Link Broken?

This link doesn't work. Isn't there a version of this document greater than 03?

Problem link in article:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_CMimportExport.asp

Corrections

This page doesn't really convey things correctly. The link to "Trusted Application Deployment Overview" is more correct.

Normally, the root CA certificate would be added to the Trusted Root Certification Authority container. If the CA is a domain CA, then typically the domain administrator would have pushed the root CA to all machines in the domain and thus nothing would need to be done with respect to the signing CA certificate.

The publisher certificate however, would have to be added to the list of Trusted Publisher certificates.

These can both be done manually using the certmgr.msc MMC plug-in (Start | Run... | "certmgr.msc" + ENTER).