Hi there I'm a developer looking at introducing ClickOnce deployment for an internal .NET Winforms application that will be distributed via the corporate network.
Now I would like to deploy this application under the full trust model however in order for that to happen I need to sign the software with a certificate. I can do that with a "test" certificate that has no information of the publisher etc, however that means an extra step will occur on the users workstation where they will have to confirm that the software is OK.
So what I want to know is. is there a way I can get my IT Infrastructure guys to create me a an "internal" certificate from the domains Certificate Authority, or do I have to go and pay for a certificate from somebody like VeriSign?
Thanks
Yes, you can create an internal certificate and then a MS Group Policy can be setup whereby each computer in the domain automatically "trusts" any code signed with that certificate.
The Group Policy Item is:
In our case, we created an internal CA and put any certs made by that CA as trusted. I.e. it was in the Trusted Root Certification Authority section.
Your IT staff should be able to create a cert for you. As you said it will not be completely trusted and the user will be prompted to trust the cert. For testing purposes this is completely viable option. If you have a separate security team this may fall under their responsibility.
if they already have a PKI I can't imagine that they would not have already created a trusted root infrastructure. Usually you deploy the certificate of the root CA in the default domain policy's trusted root certification autorities section.