Silverlight 4 RC – Signing trusted apps with home made certificates

I wanted to ensure that I could try out the new feature in the Silverlight 4 RC around having trusted applications that have their XAPs signed.

Tim has a great post on this here

and Tim’s post includes the very important words;

If you want to take advantage of using the update features of Silverlight for your application (aka CheckAndDownloadUpdateAsync), then your application must be signedIf you do not sign your XAP for a trusted application it cannot auto-update.

so that’s definitely worth “bearing in mind”.

The right thing to do here is to go and get a proper code-signing certificate but I just wanted to experiment on my local machine and so made my own certificates.

I thought I’d write it down here as every single time I come to use the makecert tool it feels like I’m going back to the drawing board.

So, here’s what I did – no guarantee at all that this is correct but it seems to work which is all I needed for my purposes.

Firstly, make my own root certification authority certificate (mtaultyRootCA) with;

makecert -n "CN=mtaultyRootCA" -r -sv mtaultyRootCA.pvk mtaultyRootCA.cer

that will prompt for a password ( 3 times ).

With that set up I then want to create a certificate which chains up to that authority and I did that with;

makecert -sk mtaultySigning -iv mtaultyRootCA.pvk -n "CN=mtaultySigning" -ic mtaultyRootCA.cer mtaultySigning.cer -sr currentuser -ss My

that will want the password that you used originally and it will also take the certificate mtaultySigning and drop it into your personal certificates store.

Open up MMC, add the certificates snap-in for your own personal store (not the computer store) and you’ll see it in there under CurrentUser\Personal\Certificates.

By the way – I’d recommend not just copying that line up there because I’d imagine that in the future you will wonder why mtaulty has infiltrated your computer. I haven’t. You did it if you copied and pasted that line without changing a few names.

If you open that certificate in certmgr you’ll see that it does not chain up nicely so go to the CurrentUser\Trusted Root Certification Authorities store and import the first certificate that you made from the file ( mine is called mtaultyRootCA.cer ).

If you then revisit your signing certificate you should now see that it chains up to something that’s trusted.

Now, build a Silverlight application. Anything you like. Do File->New->Project and make a Silverlight application.

Within the properties, switch on out of browser and elevated trust;

image image

now, add a post-build command to do your equivalent of;

"%ProgramFiles%\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" sign /v /n mtaultySigning $(TargetName).xap

then run your app and install it and you should see the verified trust installation dialog rather than the unverified one;


Update 1 – I spent a little while on this post and then realised that John’s document had the detail in it all along. That’s +1 for John’s document and –1 for me for not remembering that he’d already written it up.