ClickOnce certificate expiration

I just heard about a pretty nasty “bug” with ClickOnce. Well it isn’t an actual bug but still a nasty problem to run into.

The problem is actually with the certificate used to sign a ClickOnce installer. When you create a new ClickOnce installer Visual Studio will automatically generate the required certificate for you. And the intention was that this was only a temporary certificate and that a developer would replace it with a real one. Now it turns out that most people, including me, think there is only a single advantage to using a real and that is the claim that the certificate is from an untrusted publisher. Well that is only a warning most people ignore anyway so why bother with the real certificate.

Well it turns out there is a second, much larger, disadvantage to using the generated certificate. And that is the fact that it is only valid for a single year. And after that year the ClickOnce installation will stop downloading new updates.

More information, including a workaround, can be found here.

Thanks to Eric Knox and Cory Smith for pointing this out.


7 thoughts on “ClickOnce certificate expiration

  1. You’ll still need this KB article, because certificates granted by third parties are also not valid for more than two or three years, generally, so they will expire while you’re still trying to provide updates.

  2. Good point, so you better make sure you get a certificate with an expiration date far in the future. After all your application is going to be successfully used for a long time right [:)]

  3. Yeahbut….

    When you get a new certificate, the ClickOnce install counts as a whole new program that just so happens to have the same name, doesn’t it? Which means all the existing users have to re-do their settings all over again.

  4. I had the same problem, but uninstalling didn’t even help. I finally figured out that it was because MIS had taken away my admin permissions, and so I had to change publishing location to the server, whereas I previously was publishing it from my computer. however, I still had my computer’s address in the update location. Clicking on Updates on the Publish tab, I then deleted the address in the update location, and it fixed the problem.

  5. why not generate a 100 years cert file from your own for internal use only? you can use ‘makecert’ to do it

Leave a Reply

Your email address will not be published. Required fields are marked *