How to release a rights-enabled application

This topic describes the steps you need to take to release your rights-enabled application after you have finished developing it.

  • Request a Production License Agreement

    This step should be executed with ample lead time for your project because it can take several weeks for this process to complete.

  • Sign your Rights-enabled application
  • Installation options for Active Directory Rights Management Services Client 2.1


Before you can release an application developed by using the Active Directory Rights Management Services SDK 2.1, you must generate a public key pair, submit your public key to Microsoft, and sign a Production License Agreement to obtain a production certificate.

The production certificate and the pre-production certificate perform a similar function but are intended for use in different environments. Both contain a certificate chain with a Microsoft certification authority (CA) certificate at the root of trust, but the pre-production certificate is used only when developing an AD RMS application. The production certificate is used in post-release environments. The production certificate and the associated private key are used to create and sign a manifest that identifies the files that can or must be loaded into the process space of your application and those that must not be loaded.

For more information on keys, see How to run your application.


Step 1: Request a Production License Agreement

You must have a production certificate before you can release an application developed by using the Active Directory Rights Management (AD RMS) SDK. You can obtain the certificate by applying for a Production License Agreement.

  • Send an email message to and include the following information:
    • Full company name

    • Physical corporate address (include the city, state, country or region, and zip or postal code)
    • Corporate mailing address (include the city, state, country or region, and zip or postal code)
    • Company phone and fax numbers
    • Company URL
    • Country or region of incorporation
    • Application or product name
    • First and last name of the requester
    • Title or position of the requester
    • Email address of the requester

    Although an email account is not strictly required, the application process typically relies on email for communication. You can get a free email account at Microsoft If you do not have an account and do not want one, you can send a typewritten application to the following address:

    Active Directory Rights Management License Agreements (ADRMLA)

    Microsoft Corporation

    One Microsoft Way

    Redmond, WA 98052-6399

    When requesting an agreement, please do the following;

    • Submit the information, in English, as it should appear on the agreement.
    • Send all requested information. Missing or incomplete information can delay processing of your request.

    The Active Directory Rights Management Licensing Agreement (ADRMLA) team will respond to your emailed request within three business days, longer if you sent the request by using a postal service. The response will include the license agreement form and further instructions. Read, sign, and return all pages of the agreement to the ADRMLA team. Please do not change the fonts or reformat the paragraphs of the license agreement.

    Be sure to follow the instructions you receive from the ADRMLA team. The instructions list the items of digital information needed to fulfill your certificate request. By following the step-by-step instructions you will reduce delays.

    The ADRMLA team will forward your production certificate to you after it is created. The certificate is created based on the license agreement and digital information (including a public key) you provide. Please note that it may take up to 15 business days for the ADRMLA team to reply with your certificate by email, longer if communication is by postal service.

Step 2: Sign your rights-enabled application

This step assumes that you have already signed your application for pre-production hierarchy. If you have not already done so, go through the process described in How to run your application.

Once you have received the production certificate from Microsoft, you have the following files with you:

  • YourPrivateKey.dat
  • YourPublicKey.dat
  • ProductionCertificate.xml
Place them in the same directory with GenManifest.exe and your application binary (.exe).
  • The process below takes you through creating a new MCF file with production certificate:

    • Create a new directory and place files in that new directory. Use Notepad.exe to create an MCF file for your application. The file should have the following contents.
      req     .\\<yourappname>.exe
      PUBLICKEY .\\YourPublicKey.dat
    • Run the following command to sign your application:

      genmanifest.exe -chain ProductionCertificate.xml YourAppName.mcf

      If Genmanifest was successful, you'll see only the following text:

      Genmanifest v2.5 Copyright 2002-2003 Microsoft Corporation.

      If Genmanifest failed, you'll see an error message.

    • Your should always be placed in the same directory as YourAppName.exe.

Step 3: Installation options for AD RMS Client 2.1

Once you create your manifest file using a production certificate, your application is ready to be deployed. Given that you utilized AD RMS SDK 2.1, you will need AD RMS Client 2.1 to be deployed on the end-user machine.

AD RMS Client 2.1

The AD RMS Client 2.1 is software designed for your client computers to help protect access to and usage of information flowing through applications that use AD RMS whether installed on your premises or in a Microsoft datacenter.

The AD RMS Client 2.1 is not a Windows operating system component. The AD RMS Client 2.1 ships as an optional download which can be, with acknowledgment and acceptance of its license agreement, freely distributed with your third-party software to enable client access content that has been rights protected by use and deployment of AD RMS servers in your environment.


The AD RMS Client 2.1 is architecture specific and must match the architecture of your target operating system.

Hh995037.wedge(en-us,VS.85).gifAD RMS Client 2.1 installation choices

  1. Redistributing the AD RMS Client 2.1

    The recommended approach is to bundle AD RMS Client installer package with your application or solution using your preferred installation technology. The AD RMS Client can be freely redistributed and bundled with other applications and IT solutions.

    You can choose to install the AD RMS Client 2.1 interactively by starting the AD RMS Client 2.1 installer or silently install it. The integration steps will be:

    • Download AD RMS Client 2.1 installer
    • Integrate the AD RMS Client 2.1 installer run with your application installer

    Two good examples of integrating the AD RMS Client 2.1 with your application are the AD RMS SDK 2.1 installer package and the Right Protected Folder Explorer package. Try installing them yourself to understand the approach.

  2. Make AD RMS Client 2.1 a pre-requisite for your application install

    In this case, you will create a pre-requisite such that your application install will fail if AD RMS Client 2.1 is not present on the end-user machine.

    If the client is not present, provide an error message informing the user where they can download a copy of the AD RMS Client 2.1

    If the client is present, proceed with your application installation.



Send comments about this topic to Microsoft

Build date: 9/27/2013