This post’s for me, since I’ve occasionally had to look this up.

Here are the two command lines of code needed to create a long-lasting, untrusted ClickOnce certificate. You run this using the Visual Studio command prompt. I recommend putting the certificate info in a separate folder, documenting the procedure and passwords, and storing in version control. The purpose isn’t deep security, it’s letting the apps install and run with minimal fuss.

C:\MakeCertDemo> makecert -sv MyClickOnce.pvk -n "CN=MY ClickOnce" MyClickOnce.cer -b 08/01/2015 -e 12/31/2100 -r
C:\MakeCertDemo> pvk2pfx -pvk MyClickOnce.pvk -spc MyClickOnce.cer -pfx MyClickOnce.pfx -po X0PASS!

The –r switch is required to ensure the certificate’s length is greater that 1024 bits, otherwise Windows will refuse the ClickOnce installation. Older articles about using MakeCert omit that.

The development certificate created by Visual Studio when publishing a ClickOnce application lasts just a year. You can get with your network admin to create a domain-level certificate for internal publishing, if you have Windows Enterprise Server. Or buy a Verisign certificate for trusted public publishing. But often, small businesses just need to publish internal apps with little fanfare. The app developers need:

  1. A long-lasting certificate
  2. To not discover they don’t know the original certificate password (“Hey, who wrote this? Know password? OK, I’ll create a new certificate.”)
  3. Consistency


Certificate Expiration in ClickOnce Deployment

Stack Overflow