Fully Trusted form and MakeCert.exe

[vt_asparagus]

I am messing around with test certificates to see how they work. I
wanted to use the MakeCert.exe located within C:\Program
Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\Bin to create a test
cert to play with. I quickly found out that I had to take several
other steps to build the certificate.

Here are some command line statements I had to run:

cd C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\Bin
makecert -sv testCertKey.pvk -n
"CN=AsparagusCertificate,OU=Delivery,O=Asparagus,C=US" -r testCert.cer
cert2spc testcert.cer testcert.spc
pvkimprt -IMPORT testCert.spc testCertkey.pvk

You will need to go out and install the pvkimprt tool. Anyways, I can
now see the certificate in InfoPath and I can Sign my Template of my
test form by going to Tools >> Security. (I know I can create a
certificate in InfoPath but I wanted to try it this way.)

Here is new issue, when I try to use the InfoPath form that I signed
with the certificate on another machine for testing purposes I get the
following warning when I open it up (I created the form on a host
machined and then threw it onto a VPC).

"The selected form cannot be opened correctly because it was signed
with a certificate that is not available on this machine. To remove
the certificate and open the form, click OK. Note that removing the
certificate might require users to delete and reinstall the form on
their computer. In addition, forms requiring full trust will not open
correctly unless they are signed with a trusted signature."

This leads me to believe that I needed to install the certificate I
created on my host machined onto my VPC. That did not work. I then
tried rebuilding the certificate on the VPC from scratch using the same
steps and open the InfoPath form and I again got the same issue. How
can I get this to work?

 

[vt_asparagus]

To continue my saga...I am still havine issues.

When I run the .xsn locally get a prompt warning me that the digital
certificate is not trusted, which makes sense because I created it
using MakeCert.exe. Although, if I take the form, throw it onto a VPC,
double click the .xsn, I get "InfoPath Cannot load this form. The
signature is corrupt or the certificate used to sign the form is
expired or has been revoked. Contact the author of the form."

Hypothetically, all I should have to do is install the certificate in
the VPC and it should work. Maybe I do not have the right steps.

Another thing, I found the following link out there - BUG: You may
receive "The signature is corrupt or the certificate used to sign this
form is expired" error message in InfoPath 2003 Service Pack 1 -
http://support.microsoft.com/kb/888704

I have tried to follow the steps but get the following error at the
end. It is "Windows cannot build the requested certification path."

Any advice?

 

[vt_asparagus]

Looks like I cannot move the XSN file from machine to machine and
expect the certificate I created with MakeCert.exe to work. If I
publish the form through SharePoint on the machined where I created the
certificate, the user will be prompted that the certificate cannot be
trusted but they will be allowed to open the form.

As everyone should know, you should only use a certificate created from
MakeCert.exe for testing purposes only.

 

[Sheetal D [MSFT]]

Certifcates generated from MakeCert.exe tool are for testing purposes only. These will not work as expected.
In order to make the form fully trusted and allow other users to open it from SP site/Internet without any warnings/errors you need to sign that
IP form with a certifacte from trusted authority like Versign for example.

Refer the following articles to know more on getting a certificate from trusted authority so that it will be valid on all the machines within the
intranet:
(a) Cryptography for Network and Information Security
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?
url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsch_key_msjr.asp
(b) Setting up a Certificate Authority
http://msdn.microsoft.com/library/d...html/29ff74a2-249a-4ecf-8a2a-ff0ba572e4db.asp
(c) Building an Enterprise Root Certification Authority in Small and Medium Businesses
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/build_ent_root_ca.mspx


Best Regards,
Sheetal D
Microsoft Developer Support

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: (e-mail address removed)
Newsgroups: microsoft.public.infopath
Subject: Re: Fully Trusted form and MakeCert.exe
Date: 10 Sep 2005 18:39:40 -0700
Organization: http://groups.google.com
Lines: 9
Message-ID: <[email protected]>
References: <[email protected]>
<[email protected]>
NNTP-Posting-Host: 70.179.94.22
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Trace: posting.google.com 1126402786 30779 127.0.0.1 (11 Sep 2005 01:39:46 GMT)
X-Complaints-To: (e-mail address removed)
NNTP-Posting-Date: Sun, 11 Sep 2005 01:39:46 +0000 (UTC)
In-Reply-To: <[email protected]>
User-Agent: G2/0.2
X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322),gzip(gfe),gzip(gfe)
Complaints-To: (e-mail address removed)
Injection-Info: z14g2000cwz.googlegroups.com; posting-host=70.179.94.22;
posting-account=rF2hmQwAAAAWUtNlHlwD124ad1pQzc81
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-online.de!news.glorb.com!
postnews.google.com!z14g2000cwz.googlegroups.com!not-for-mail
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.infopath:16817
X-Tomcat-NG: microsoft.public.infopath

Looks like I cannot move the XSN file from machine to machine and
expect the certificate I created with MakeCert.exe to work. If I
publish the form through SharePoint on the machined where I created the
certificate, the user will be prompted that the certificate cannot be
trusted but they will be allowed to open the form.

As everyone should know, you should only use a certificate created from
MakeCert.exe for testing purposes only.