Security Certificates, Trusted Publishers, and ClickOnce Apps
The real author of this entry is Steve Grinker (he doesn't have a blog yet, I'm trying to convince him to get one here). By the way, Steve, yes, your name is going to be prominently displayed until you do get a blog. So you might as well get one so I stop nagging you.
Issue: We have an internally written Click-once application, with signed Infopath forms. If we put the cert in GPO, it would be added to the "Trusted Root Certication Authorities" store and trusted by the application, but once you used one of the signed Infopath forms, the user was prompted with an error that resolved to the form not properly being trusted. We needed a way to automatically get the cert into the "Trusted Publishers" store. Since this solution took several people in my team, the Internal Development team, and a call to MS, we're blogging this.
Resolution: Running this script as an advertisement via SMS, system context. The source folder contains the 4 files: the vbscript itself, certadm.dll & certutil.exe from our cert server, and the certificate.cer file.
The script copies certadm.dll to the local computers' system32 folder, and registers the .dll, then this command is run:
certutil.exe -enterprise -addstore "TrustedPublisher" certficate.cer
That places the .cer into the Trusted Publishers' area, so the end user no longer gets any prompts, from either the ClickOnce app, nor when launching an individual infopath form.
On Error Resume Next
Set sho = Wscript.CreateObject("Wscript.Shell")
Set FSO = CreateObject("Scripting.FileSystemObject")
strCurrentDir = Left(Wscript.ScriptFullName, (InstrRev(Wscript.ScriptFullName, "\") -1))
Set strSysFolder = FSO.GetSpecialFolder(1) 'get system32 folder
'Copy the dll to the system folder
FSO.CopyFile strcurrentdir & "\certadm.dll",strSysFolder & "\"
'Register the dll
sho.Run "cmd.exe /c regsvr32.exe /s " & Chr(34) &_
strSysFolder & "\certadm.dll" & Chr(34),0,vbTrue
intret = sho.Run(strcurrentdir & "\certutil.exe -enterprise -addstore " & Chr(34) &_
"TrustedPublisher" & Chr(34) & " " & strCurrentDir & "\certificate.cer",0,vbTrue)
wscript.quit(intret)
fyi, the production script also contains some regkey tags I'm tracking with a MOF edit, so we can target computers that haven't registered the cert, but that's not pertinent to this blog entry
Supposedly this might all get easier with Vista and Server 2008, but per Microsoft there is no current way to address this with a GPO in XP. We even tried some updated ADM files with no positive results.