ClickOnce certificates

1. You must sign your ClickOnce manifests with an Authenticode certificate. VS 2005 will do this for you when you publish an application.
2. Authenticode certificates are not the same thing as an SSL certificate or an X509 client certificate used for authentication purposes, even though they are all based on the same technology.
3. You can generate your own certificate using Visual Studio, or the makecert command line utility. In this case, you are both the publisher represented by the certificate and the certificate issuing authority. You will sometimes see this referred to as a self-signed certificate.
4. A third party issued certificate (i.e. Verisign, Thawte) is the preferred approach. These companies are already configured in Windows as trusted root certificate authorities (CA), and because they are third party verified, there is an additional level of implied trust associated with them.
5. If you are part of a large enterprise domain and you have a domain CA, that CA can issue you a publisher cert for your domain that you can use, and your publisher certificate can be pushed out to client machines through group policy or SMS.
6. If user prompting is acceptable for elevating privileges (based on the permissions requested by the application in its manifest and the permissions that would be granted by code access security based on the launch URL), then there is no need to install any certificates on the client side.
7. If you want to avoid user prompting, you need to install your publisher certificate in the Trusted Publishers store on the client machine.
8. At runtime, certificate checks are only done against the local certificate stores on the client machine. Specifically, the certificate used to sign the manifests is checked for in the Trusted Publishers store, and the issuer of that certificate is checked for in the Trusted Root Certificate Authorities store.

FAQ

Code Signing CA certificate missing from Windows Trusted CA certs when viewing certificate during runtime
Code Signing CA certificate missing from Windows Trusted CA certs when viewing certificate during runtime "Windows does not have enough information to verify this certificate" appears in the general tab when viewing the certificate during runtime, although certificate root chain is formed in the signed file. No error message when running the signed code, however when viewing the certificate, the Thawte Code Signing CA certificate is missing from certificate chaining in the Certificate Path tab. Error: "Windows does not have enough information to verify this certificate"

Cause
It appears that when running a file signed correctly via ClickOnce, this issue occurs because the machine does not have the certificate in the trusted publishers. However as the top root certificate is present in the browsers, so it is trusted.

Resolution
Note: With regards to this issue, the signed file will run without any problem. When viewing the properties of the signed code (Properties > Digital Signatures > Details > View Certificate) the code is signed correctly. The warning message occurs when viewing the certificate during the security warning during runtime.

At runtime, certificate checks are only done against the local certificate stores on the client machine. Specifically, the certificate used to sign the manifests is checked for in the Trusted Publishers store, and the issuer of that certificate is checked for in the Trusted Root Certificate Authorities store.

To show the entire chain of the certificate during runtime, the intermediate certificate will need to be manually installed into the client machine, into the Trusted Publisher's store that will run the signed code.

For Configuring ClickOnce Trusted Publishers please view the Brian Noyes, Microsoft MVP article