3

If a certificate is from a CA (e.g. GoDaddy, Verisign), does the certificate need to be installed on a client machine?

I have a SilverLight application that needs elevated privileges and will be installed on numerous client sites. I'm also trying to minimize the installation at each of the sites (100s of deployments per site with the application hosted locally at each site).

I believe the registry changes can be deployed via a group policy update.

If the certificate still needs to be deployed, is there a value of having a certificate from a CA over a self-signed application when the primary goal is minimizing local site administration?

Jim Rush
  • 4,143
  • 3
  • 25
  • 27
  • MerickOWA's answer below is correct. My question, however, didn't address what I needed due to a lack of understanding of public keys, private keys and the file formats. I was trying to understand if I was supposed to distribute the same certificate I used for signing, which didn't seem correct. What I was missing was what was in the pfx certificate file, how to export out the public certificate and distribute. http://stackoverflow.com/questions/2292495/what-is-the-difference-between-a-cer-pvk-and-pfx-file is worthwhile a starting point. – Jim Rush Jul 11 '12 at 17:10

1 Answers1

4

Yes, if a certificate is from a CA, the certificate does need to be installed on the client machine. That said however, Microsoft does already install many root certificates as well as keeps this list up to date with Root Certificate updates. See the Root Certificate Membership List

GoDaddy and Verisign are currently apart of this list, so doing an extra step should be unnecessary on a computer which is up-to-date. This is not always the case, so it still might be required on some machines.

All that said, to run Silverlight in elevated privilege mode, the user must simply click that they 'trust' the application at install time. See MSDN Trusted Applications

Taking the time of getting a signature from a CA only buys your user's a bit of extra peace of mind when the click the button as

They will see this:

Verified publisher

Instead of:

Unverified publisher

If the goal is minimizing local site administration, then I don't see that going through the trouble of getting a certificate to sign your application would meet that goal, its only there to help provide some security for your users, which doesn't sound like it would be an issue.

jv42
  • 8,521
  • 5
  • 40
  • 64
MerickOWA
  • 7,453
  • 1
  • 35
  • 56