VSTO ClickOnce Solution signed with certificates issued by an Intermediate Certificate Authority shows Unknown Publisher. Other ClickOnce deployed applications cannot display the certificate chaining hierarchy.
This article has been archived. It is offered "as is" and will no longer be updated.
Source: Microsoft Support
RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.
When you try to deploy a Visual Studio Tools for Office system (VSTO) Version 3.0 solution with a certificate issued by an Intermediate Certificate Authority, end users will see an Trust Prompt with "Unknown Publisher" even though the component is duly signed with a Certificate that chains up to a Root Certificate Authority.
The same certificate can be used to sign an executable application like Winforms or WPF application deployed through ClickOnce and the Trust Prompt for these applications will be able to verify the publisher identity successfully. However, if you try to view the certificate details for these applications types, the certificate chain hierarchy will not be visible and the Certificate Status in the details window will display "The issuer of this Certificate could not be found."
The VSTO v3.0 Runtime (including 3.0 SP1) cannot verify a publisher’s identify for certificates that chain to a Trusted Certificate Authority via an Intermediate Certificate Authority. This is a limitation in the underlying API used by the VSTO v3.0 Runtime and does not affect the ClickOnce deployment of other types of applications.
While the Trust Prompt for an executable application like Winforms or WPF application can successfully display the Publisher Name, the details dialog associated with these application types has a similar limitation dealing with certificates issued by Intermediate Certificate Authorities and cannot completely construct the certificate chain hierarchy back to the Root Certificate Authority.
The workaround to this issue is to include the Intermediate Certificate Authorities’ certificate on all end user machines where the application will be installed. As of now the issue is reported only with the handling of Thawte certificate and would require that Thawte intermediate certificate be installed on the end users machine.
MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.