ClickOnce Trusted Root Certification Authorities

Question

Hello,

I migth have another question about SSL.

I have a Smart Client and I deploy it using ClickOnce. In this Smart Client application, I call a HTTPS Web Service. I need so to install a Trusted Root Certification Authorities to give access to this HTTPS Web Service.

Let's say that I want to keep it fully "ClickOnce", meaning that I do not want to have anything to do on the client machine except run the ClickOnce = I do not want to have to install the certificate on the client machine manually (or not) but I want to have it install prior to the Smart Client. I would include it in the package and will be the first thing to be installed.

My problem is :

As I read on the Internet, there is no way I could install a "Trusted Root Certification Authorities" without having Admin Rights on the client machine

is it right?

if it's right, do you see another solution to achieve this goal or it's just not possible?

Thx you in advance.

Answer 1

is it right?

Yes, assuming you mean "is that correct?" You cannot install certificates on a client machine without admin rights because that would undermine the whole purpose of the certificate concept. Untrusted certificates can't magically become trusted without explicit action from the user.

I guess, If I get a CA from one of the Root Certification Authorities which are already in the Trusted Root Certification Authorities (Thawte,...) , it should work ?

I'm assuming by "CA" you actually mean "certificate." CA stands for Certificate Authority. Thawte, Verisign, etc. ARE Certificate Authorities. You obtain certificates from Certificate Authorities. And the answer is yes, that will work because (you said it) they are already trusted by virtually everyone in the world.

Answer 2

I'm not 100% that this will work for you, but for our unit tests where we communicate through our web service with https (that on the dev machines does not have a cert that is issued by a CA), we do this:

In the client, we call this static method: (we are using web services with WSE3, not sure if this depends on that)

    private static void DisableCertificateChainCheckingForTestCertificateCompatibility()
    {
        ServicePointManager.ServerCertificateValidationCallback = 
           new RemoteCertificateValidationCallback(
              ValidateServerCertificate);
    }

    internal static bool ValidateServerCertificate(
        object sender,
        X509Certificate certificate,
        X509Chain chain,
        SslPolicyErrors sslPolicyErrors)
    {
        if (sslPolicyErrors == SslPolicyErrors.None)
        {
            return true;
        }

        //Allow untrusted machines
        if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateChainErrors)
        {
            return true;
        }

        // Do not allow this client to communicate with unauthenticated servers.
        return false;
    }

Double-checking with MSDN I foud out that I once upon a time took this code straight from here: http://msdn.microsoft.com/en-us/library/system.net.security.remotecertificatevalidationcallback.aspx

Godspeed!