In-house Trusted Certificate

Question

Hi there I'm a developer looking at introducing ClickOnce deployment for an internal .NET Winforms application that will be distributed via the corporate network.

Now I would like to deploy this application under the full trust model however in order for that to happen I need to sign the software with a certificate. I can do that with a "test" certificate that has no information of the publisher etc, however that means an extra step will occur on the users workstation where they will have to confirm that the software is OK.

So what I want to know is. is there a way I can get my IT Infrastructure guys to create me a an "internal" certificate from the domains Certificate Authority, or do I have to go and pay for a certificate from somebody like VeriSign?

Thanks

I'm more than capable of deciding when it is an appropriate time given my circumstances to ask a question thank you. — MrEdmundo, May 19 '10 at 07:50

score 6 · Answer 1 · answered May 18 '10 at 16:35

6

Yes, you can create an internal certificate and then a MS Group Policy can be setup whereby each computer in the domain automatically "trusts" any code signed with that certificate.

The Group Policy Item is:

Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies

In our case, we created an internal CA and put any certs made by that CA as trusted. I.e. it was in the Trusted Root Certification Authority section.

answered May 18 '10 at 16:35

Scott Lundberg

2,364
2
14
22

That sounds exactly what I'm after. Thank you for pointing me in the right direction! – MrEdmundo May 18 '10 at 16:39

score 0 · Answer 2 · answered May 18 '10 at 16:33

0

Your IT staff should be able to create a cert for you. As you said it will not be completely trusted and the user will be prompted to trust the cert. For testing purposes this is completely viable option. If you have a separate security team this may fall under their responsibility.

answered May 18 '10 at 16:33

I'm talking about the production environment and I don't want the users to have to trust the cert. I'm able to create a test cert, it's a trusted cert on the network I'm interested in. Thanks – MrEdmundo May 18 '10 at 16:35

score 0 · Answer 3 · answered May 18 '10 at 18:51

0

if they already have a PKI I can't imagine that they would not have already created a trusted root infrastructure. Usually you deploy the certificate of the root CA in the default domain policy's trusted root certification autorities section.

answered May 18 '10 at 18:51

Jim B

23,938
4
35
58

In-house Trusted Certificate

3 Answers3

Linked