Today I spent quite a bit of time fighting with a TFS build server attempting to make it sign a Silverlight xap file.
Here are some of the things that make it difficult:
- My machine is not on the domain the build server is on
- The build service runs under a service account
- I want to use a self signed cert right now for dev purposes
- Silverlight application in Out of Browser and needs Elevated Trust
Here are some notes on what I learned while trying to figure this out:
Regarding #1: Since my computer is not on the same domain, it didn’t take long to learn that the certificate that Visual Studio creates for you under the ‘Create Test Certificate’ wouldn’t be easy to configure on the build server … or at least I couldn’t figure it out in a hour or so (though now that I’ve got a better understanding, I might be able to).
Regarding #2: All the information I initially found on the internet regarding this situation said to login as the account the build service runs under and register the cert by double clicking it or running the build which would then prompt for the key’s password … this was a no go for me since it runs under ‘Network Service’
Regarding #3: After doing research, I was starting to think I would need to buy a cert that was from an already registered CA … but did not want to do that due the the cost and time involved. Plus I knew the VS cert worked locally … there had to be a way to do it on the server too.
Regarding #4: This is really more the point to the whole story, since the application is an OOB Silverlight application that needs to be signed to upgrade itself successfully (so I’ve read … still need to find that out).
Tonight I found some good news via these links:
http://www.digicert.com/ssl-support/pfx-import-export-iis-7.htm (information on the Certificate MMC snapin)
http://technet.microsoft.com/en-us/library/cc732597(WS.10).aspx#BKMK_Anchor3 (detail on the MakeCert utility)
http://www.inventec.ch/chdh/notes/14.htm (great command line to create a cert using MakeCert)
I also did a little digging into the Microsoft.VisualStudio.Silverlight.dll with Reflector to see what the VS ‘Create Test Certificate’ button actually does. Turns out there is an extended property (or maybe just property) of a certificate that says it can be used to sign code (I didn’t know that – I thought a cert was a cert). You can see that below: (taken from the MMC certificate snapin)
If you simply create a cert using IIS’s ‘Create Self-Signed Certificate’ (shown below) you will get a certificate that has an Intended Purpose of Server Authentication – NOT Code Signing. Image below is from IIS 7:
If you try and sign your Xap with a cert that doesn’t have the Code Signing property, Visual Studio will give you the following message box stating “The selected certificate is not valid for code signing.” Very clear and to the point … once you know that certificates have different intended purposes and different properties. Until you figure that out the message box is just frustrating.
The trick to creating a certificate that allows for code signing was found via Reflector: OID_CODE_SIGNING = "220.127.116.11.18.104.22.168.3";
So if you take the command line using makecert from the link above and edit it to use that number you will be able to generate a cert that will have an intended purpose of Code Signing. Here is the edited command:
makecert -r -pe -n "CN=www.yourserver.com" -b 01/01/2000 -e 01/01/2036 -eku 22.214.171.124.126.96.36.199.3 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
I don’t have all the build working quite yet … but the certificates are looking good. I’ll post more later once its all working.
Hope this helps someone else save some time.