Solved: ClickOnce publish failing with a valid certificate

For the past 22 months, we’ve been publishing using ClickOnce to the same path, using the same certificate, with no problems. This week, problems found us:

C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft.Common.targets (3652,9): error MSB3482: An error occurred while signing: Failed to sign . SignTool Error: The signer’s certificate is not valid for signing. SignTool Error: An error occurred while attempting to sign:

The usual problem here is an expired certificate, but the certificate we’re using was created in December 2010 and expired in year 2039, so we knew expiration wasn’t a problem. The certificate file itself was also known to be valid; it was stored in our Subversion repository and hadn’t changed since the day it was created.

We called Microsoft (free support using our MSDN subscription). We spent about four hours working with them, creating test certificates, creating new certificates, trying to publish, with mixed and inconsistent results. We were told to use a new certificate because our current certificate was deemed corrupt. (When I asked what corrupt means, I was told it means the certificate file is bad. When I said that the MD5 hash of the certificate file was identical to the MD5 hash of the file created nearly two years ago and that it was stored in source control, I was told it was “bad” not corrupt. Semantics. Whatever.)

I seem to have fixed the problem this morning. It wasn’t the certificate. It wasn’t the path. Frankly, I don’t know what it is. I only know what steps I took before the point in which everything started publishing normally, as it had for the past 22 months.

Here’s what I did: I verified that every project in the solution has the same target platform (x86), .Net Framework version (3.5), and correct assembly information (some had default copyright information, some had autogenerated version numbers where we expected After doing that and rebuilding, the ClickOnce publish worked as it did before, with the same old certificate, and clients behaved as expected (upgrading according to ClickOnce settings).

It makes no sense, because none of those settings were changed from our last good ClickOnce publish. Either way, it fixed the problem. Hopefully, it’ll help fix yours, if and when this annoying problem comes up.

Create your own .pfx file for ClickOnce

Today, I needed a PFX (public key file) to sign a ClickOnce deployment. I spent a fair amount of time trying to figure this out, so I figured I’d share it!

There were plenty of suggested solutions out there, but the best one was from MSDN blogger Maxime Lamure.

In short, do the following, replacing MyCert with the certificate file name (without extension), MyName with the name you want on the certificate (your name, or a company name), and password with the PFX file password.

  1. Open a Visual Studio Command Prompt. If using Windows Vista or Windows 7, be sure to run as Administrator.
  2. Create your certificate (.cer) file by typing: makecert -sv MyCert.pvk -n "CN=MyName" MyCert.cer
  3. Create your public key (.pfx) file by typing: pvk2pfx -pvk MyCert.pvk -spc MyCert.cer -pfx MyCert.pfx -po password

At the end, you’ll have your very own certificate file and public key!