Today I spent quite a bit of time fighting with a TFS build server attempting to make it sign a Silverlight xap file.
Here are some of the things that make it difficult:
My machine is not on the domain the build server is on
The build service runs under a service account
I want to use a self signed cert right now for dev purposes
Silverlight application in Out of Browser and needs Elevated Trust
Here are some notes on what I learned while trying to figure this out:
Regarding #1: Since my computer is not on the same domain, it didn’t take long to learn that the certificate that Visual Studio creates for you under the ‘Create Test Certificate’ wouldn’t be easy to configure on the build server … or at least I couldn’t figure it out in a hour or so (though now that I’ve got a better understanding, I might be able to).
Regarding #2: All the information I initially found on the internet regarding this situation said to login as the account the build service runs under and register the cert by double clicking it or running the build which would then prompt for the key’s password … this was a no go for me since it runs under ‘Network Service’
Regarding #3: After doing research, I was starting to think I would need to buy a cert that was from an already registered CA … but did not want to do that due the the cost and time involved. Plus I knew the VS cert worked locally … there had to be a way to do it on the server too.
Regarding #4: This is really more the point to the whole story, since the application is an OOB Silverlight application that needs to be signed to upgrade itself successfully (so I’ve read … still need to find that out).
Tonight I found some good news via these links:
http://www.digicert.com/ssl-support/pfx-import-export-iis-7.htm (information on the Certificate MMC snapin)
http://technet.microsoft.com/en-us/library/cc732597(WS.10).aspx#BKMK_Anchor3 (detail on the MakeCert utility)
http://www.inventec.ch/chdh/notes/14.htm (great command line to create a cert using MakeCert)
I also did a little digging into the Microsoft.VisualStudio.Silverlight.dll with Reflector to see what the VS ‘Create Test Certificate’ button actually does. Turns out there is an extended property (or maybe just property) of a certificate that says it can be used to sign code (I didn’t know that – I thought a cert was a cert). You can see that below: (taken from the MMC certificate snapin)
Read more: Jason Haley