We are creating a Full-Trust XBAP application and it needs to be installed/executed remotely outside of the customer's domain. In order to accomplish this we have purchased a Thawte code-signing certificate. We have used the spc and pvk from Thawte to create the pfx file for code-signing in VS 2008 on our XBAP.
We import the pvx/cert onto each of our user's machines into their Trusted Publishers and Trusted Root Certification Authorities stores as needed to execute a Full-Trust XBAP. However, each user is unable to download/execute the XBAP due to "not granting privileges to the XBAP application." which is indicative of a certificate not being installed.
We are able to resolve this by importing the Thawte Code Signing CA certificate from Thawte's web site onto each user's machine. We need to know if this is the proper method for doing this or if we are missing something with using Thawte code-signing certs for XBAP/ClickOnce applications. Do we have to have this Thawte intermediate cert installed on each machine? Or is there a workaround to get our base pvx/cert to work alone?
Best Answer
I would start by verifying that you have your WPF application signed as such:
As you can see my application is signed with my custom certificate that will expire in 100 years.
You would then, as you have stated, need to install the certificate into each user's certificate store under the Trusted Publishers and Trusted Root Certification Authorities. This allows the users system to authenticate that they have permission to access the application.