How to extend an existing certificate, even if it has expired

In many cases, when the certificate you use to sign your ClickOnce deployment expires, your customers have to uninstall and reinstall the application. This is the problem discussed in my MSDN article on Certification Expiration in ClickOnce Deployment.

Part of that article discusses the use of a program called RenewCert to extend your signing certificate, and tells you why you might want to do that. The following video shows you how.

The basic command looks like this:

RenewCert oldpfxfile newpfxfile CN=newName password-to-old-pfx-file

Let’s say I have a certificate called NightbirdPFX.pfx that has expired. If I want to create a new version with the same public/private key pair, I would use this command:

RenewCert NightbirdPFX.pfx NightbirdPFX5Yrs.pfx CN=”Nightbird 5 Yrs” MYpassw0rd

Now I can replace the old certificate with the new and publish an update, and the users will be able to pick up the update without having to uninstall and reinstall the application.

As noted in the GoldMail above, if you have a vendor certificate, it does change it to a test certificate. So if you still want to have a trusted deployment, you have to purchase a new certificate.

The compiled version of RenewCert that I used to extend my vendor certificate can be downloaded here. This requires the C runtime libraries from Visual Studio 2005 in order to run, so I have included those in the zip file as well.

I’d like to thank Cliff Stanford for taking the C++ code from MSDN and enhancing it so it works for both test certificates and vendor certificates. If you’re interested, the code and compiled binary can be found here.

If you want to read the original article in MSDN and/or see Microsoft’s code, you can find it here.

[Edit 7/7/2011 Move zip file to Azure blob storage]

Tags: ,

69 Responses to “How to extend an existing certificate, even if it has expired”

  1. Web developer Boston Says:

    I gotta ask, simply because this whole certificate thing is such a hassle. Could one install a long-lasting self-created certificate onto users’ machines as part of the application’s install? If your installer installs the certificate your application is signed with, you wouldn’t need a certificate that expires (at least not for a long time). This would probably require administrator priviledges, but otherwise, is there anything prohibiting this?

    • robindotnet Says:

      No, there’s nothing keeping you from doing this. In fact, you can create your own certificate with a longer date range using MakeCert and just use it for deployment; you don’t have to install it on the customer’s machine. If you are going to install the certificate in the customer’s certificate store, it’s not a good idea to make it a long-lasting certificate. The reason for this is you can’t revoke the certificate. If someone obtained access to your certificate information, they could deploy malware to that customer’s machine as trusted software, and there’s nothing you could do about it. Plus, it would chain back to you.
      Information on using MakeCert to make longlasting certificates and some information about revocation are discussed in my article about certificate expiration on MSDN, which is here.
      Thanks,
      Robin

  2. Richard Says:

    One problem with the test cert generated by Visual Studio that I didn’t see mentioned in your article is that they are tied to one computer. I found this out when I replaced my development workstation and tried to move the test certificate – the private key is not exportable, so you can’t.

    • robindotnet Says:

      Actually, you are incorrect. You CAN move the test certificate generated by Visual Studio to another machine. When you create one, it adds a PFX file to your project. You just need to copy that file to the other machine and then select the file in the Signing tab. Of course, you have to be able to remember the key of your PFX file.

  3. Craig Says:

    Not sure if I’m missing something..but…Is the 5yr renewal configurable? Can it be 2yrs or 3yrs or some other time frame in the calls to RenewCert.
    If so, can you give an example.

    • robindotnet Says:

      Sorry, it’s not configurable — the author hardcoded the time frame. At the bottom of my blog entry, I’ve provided the link to the website where I got the binaries; he has posted the code. If you’re feeling the C++ love, you could download it and see if you can change it and build it. If you aren’t using a purchased certificate, you could try Microsoft’s version too. Good luck!

      • Craig Says:

        I spent a little time with Microsoft’s version and it didn’t seem to change the date at all. No error/affirmation was given when I ran the command line (I compiled the Microsoft RenewCert code using VS 2008). I will give this version a shot and hope I have better luck with it.

        Thanks for the write up and the video

    • Grant Says:

      I opened the source and just changed line 107 certExpireDate.wYear += 5;
      Changed mine to 30 years, guess you could easily make it a command line argument

      • robindotnet Says:

        I don’t recommend that you create a certificate that lasts for 30 years. There IS some risk involved because that certificate chains back to you. And will continue to chain back to you for 30 years. With a purchased cert, the Certificate Authority can revoke it, but you won’t have that privilege. If someone gets your certificate and signs their application as you, they can continue to have their application be valid for a really long time! That’s why the defaults in VS only last a year. Also note that if you do eventually upgrade to .NET 3.5 or .NET 4, the problem with changing the certificate goes away, and it won’t cause any problems when you issue an update with a new certificate. I’m glad the article helped you.

  4. Dave Says:

    This and the article on MSDN were the clearest pieces of writing I’ve seen in a long time. I, too, was faced with the expired certificate (which I had completely forgotten about) and the process you detailed worked perfectly. This saved me so much trouble I just had to say thanks. I will be putting your blog on my list too!

  5. Hifni Says:

    I’m getting an error as saying: “pfximportcertstore failed with error 0x56 the specified network password is not correct”

    • robindotnet Says:

      Can you be more specific? Where exactly are you getting that error? Which step are you running?

      • Hifni Says:

        I took a copy of *.pfx file and tried to renew it. Was following your visual presentation. Here is the copy of the commands I ran:

        Microsoft Windows XP [Version 5.1.2600]
        (C) Copyright 1985-2001 Microsoft Corp.

        C:\>cd C:\My_TechTools\DotNet\DotNetFx20SP2\RenewCertBinaries

        C:\My_TechTools\DotNet\DotNetFx20SP2\RenewCertBinaries>RenewCert.exe EquityBroke
        r32_TemporaryKey.pfx EquityBroker32_TemporaryKey_ext.pfx cn=”JKSB IT Ext. 5 Year
        s” teak
        PFXImportCertStore failed with error 0x56: The specified network password is not
        correct.

        Exiting

        • robindotnet Says:

          Are you sure you are using the right password for the current pfx file?

          • Hifni Says:

            I have forgotten the password I assigned initially, where not realizing that there would be an expiry to be hit on me. In such event is there anyway to retrieve the forgotten password? Thanks

          • robindotnet Says:

            I’m sorry, but there’s no way to do that — it would be a huge security breach. If that was possible, someone would be able to retrieve your password and use your certificate to sign their deployments, and issue spamware in your name. That’s also why you can’t extend the certificate without the password.

          • CWire Says:

            I had the same problem with the password when I tried to run it from a batch file. When I typed manually in the DOS box, it worked, or at least it created the file.

          • AlwaysLearning Says:

            @CWire: You probably shouldn’t save your key password in a .bat file, but two things that might help you:
            1. If your password contains Unicode characters you should ensure that your batch file is saved in a Unicode-compatible encoding. i.e.: If you create and save a file using Windows Notepad it defaults to ANSI encoding, try going to File-Save as… and change the Encoding to UTF-8.
            2. You’ll have difficulties if your password contains special shell characters such as , |, % or ^. Try a Google search for “.bat file escape characters”

  6. Richard Dunlap Says:

    This is actually a comment on your MSDN Certificate Expiration article. For the programmatic uninstall/reinstall, has anyone submitted a quick fix to make sure the radio button in the Maintenance dialog is set to “Remove” instead of “Restore”? “Restore” is what it defaulted to for me — and that obviously causes a problem. 🙂

  7. Richard Dunlap Says:

    Never mind — power of the post strikes again. Just make the uninstall version the minimum required version.

  8. Ralph Koppel Says:

    Thank you very much. You are a lifesaver.

  9. saleem Says:

    renewcert a2010.pfx b2010.pfx CN=”seemajee 5 yrs” seemajee
    CryptAcquireCertificatePrivateKey failed with error 0x8009200b: Cannot find the
    certificate and private key for decryption.

    Exiting

    pls tell what error

    • robindotnet Says:

      Are you running that from the command line, and you are sitting in the same folder as renewcert.exe and the pfx file?

      • Jon Says:

        I too am getting the same error and the .pfx file is in the same folder. I even added the .pvk file to the folder, but it doesn’t help.

      • Jon Says:

        I figured it out. You can’t just copy or drag the .pfx and .pvk files to the folder where RenewCert was extracted. You have to either:

        a) Export the expired certificate to the extracted RenewCert folder (I did this using IE)

        or

        b) Place renewcert.exe and the runtime folder into the folder in VS where the expired deployed certificate resides and run RenewCert from there.

  10. Daniel Says:

    Hi Robin. I’m also getting “CryptAcquireCertificatePrivateKey failed with error 0x8009200b: Cannot find the certificate and private key for decryption.”

    Everything is in the same directory.

    • robindotnet Says:

      Are you trying to run RenewCert on a pfx file? Is it a certificate purchased from a vendor or a test certificate? If it’s a test certificate, was it created with Visual Studio?

  11. Fredrick Says:

    My certificate expired.i want to have a new certificate.i can’t even accept request

    • robindotnet Says:

      I’m not sure I understand. What do you mean by “can’t even accept request” ? Was your old certificate from a verifed Certificate Authority such as Verisign, or did you create it yourself with Visual Studio? If you created it yourself, you can just create a new one or extend the old one.

  12. Raul Becerra Says:

    Thanks, this works for me :D…

  13. sayantani Says:

    while trying to run the renewcert.exe i am getting an error like:
    The application has failed to start because its side-by-side configuration is in
    correct. Please see the application event log or use the command-line sxstrace.e
    xe tool for more detail.
    After tracing the error i found :
    ERROR: Cannot resolve reference Microsoft.VC80.DebugCRT,processorArchitecture=”x86″,publicKeyToken=”1fc8b3b9a1e18e3b”,type=”win32″,version=”8.0.50727.762″.
    ERROR: Activation Context generation failed.
    I have installed the C++ redistributable for 2005,2005 SP1,2008,2008 SP1,2010 still the problem persists.
    Please help me out

  14. Me Again Says:

    >makecert -sv MakarioUK.pvk -n “cn=MakarioUK” MakarioUK.cer -b 01/01/2011 -e 01/01/2050 -r

    • robindotnet Says:

      That’s nice. If you want to create a certificate that lasts 40 years, that’s your prerogative. It’s a securiy issue if you’re going to use it on the internet, though, because once the user accepts it, anybody who uses your certificate for the next 40 years can deploy software with your information attached to it!

  15. outseeker Says:

    I get PFXImportCertStore failed with error 0x56: The specified network password is not
    correct.

    I know the password is correct, as I enter it successfully when opening the pfx file in VB2008.

    Any suggestions? Command line I used was renewcert “key 1.pfx” “key 1 extended.pfx” password

  16. outseeker Says:

    ooh, sorry to double post but I can’t edit.

    I went back to the top and read the syntax.. hehe it works fine!
    Weird the program itself doesn’t tell you the correct syntax 😄

  17. manvsteeth Says:

    You saved me! Thank you for this. ❤

  18. ClickOnce érdekességek « Balássy György szakmai blogja Says:

    […] RenewCert verzió, ami nálam a C runtime library-kre hivatkozva elszállt, de szerencsére Robin Shahan blogjában találtam egy olyan változatot, ami mellett ott állnak a szükséges dll-ek is. Ezzel egy […]

  19. ClickOnce érdekességek - Balássy György szakmai blogja - devPortal Says:

    […] RenewCert verzió, ami nálam a C runtime library-kre hivatkozva elszállt, de szerencsére Robin Shahan blogjában találtam egy olyan változatot, ami mellett ott állnak a szükséges dll-ek is. Ezzel egy […]

  20. juandavidpaez Says:

    HI, im trying to renew a certificate I use in a silverlight Out of browser application, I used the RenewCert to create the new version of the certificate and I installed it on the certificate store of my computer. I didn´t rebuild my silverlight application. Now I go to the webpage where my application is embedded and it seems that i do not recognize that I have I new certificate with a longer expiracy date. I checked the properties of the certificates and compared them. I realized that the serial number and the key signature is totally different. Is it possible to renew the certificate without changing the serial number and key signatures??? Please help, (sorry for my english)

    • robindotnet Says:

      I’m guessing you have to update the Silverlight application. Try rebuilding it (with the new certificate). I’m not really sure why you need to extend the certificate, as Silverlight doesn’t use ClickOnce, and I believe just needs a valid certificate in order to work?

  21. JuniorDJ Says:

    I have attempted to walk through this working through Visual Studio on a local workstation, then I build the application and copy the files out to an existing installation… is there something else involved to get this to work? Does the application need to be republished? Frustrated and would appreciate any help…

    • robindotnet Says:

      You can’t just copy the files out on top of an existing installation. You have to either publish a new version or create new manifests with Mage or MageUI with a new version number, and copy the new version to your deployment directory.

  22. Sam V Says:

    Great stuff! Thanks so much for this – I’ve been trying to use renewcert from Cliff without success due to the prerequisites. It turns out that having Visual Studio 2010 with C++ installed won’t do the job, however many redistributables you install. Your Microsoft.VC80.DebugCRT folder saved the day, and stopped me from going medieval on my keyboard. Thanks again!

    • robindotnet Says:

      I would hate for your keyboard — an innocent bystander — to be hurt. Next thing you know, it will get all resentful and stop sending the keys you press, so “hello” could be sent as “bite me”, which could seriously impact any communications you have with your upper management. So in the interest of your continued employment, I’m glad I was able to help. 😉

  23. rhonda Says:

    I’m assuming most of the pain here is NOT VS2010 / dotNet 4.0 – because surely by now Microsoft has implemented the ‘correct’ certificate renewal strategy? seriously – when I renew the certificate from Thawte – it cannot be (their words) the same key pair. so – will this all ‘just work’ yet?

    • robindotnet Says:

      At the top of the article, there is a link to an MSDN article about certificate expiration that shows the cases where it works and doesn’t work. It is not a VS issue, it is a .NET Framework issue. It should be okay in .NET 4. I have to say, though, that I wouldn’t use a Thawte certificate for a VSTO application; Thawte has intermediate certificates and for VSTO applications, it is not recognized correctly.

      • Rhonda Says:

        Thanks Robin. We were unaware of the issues with the Thawte certificates when we started this project… I asked my corp IT for a code signing certificate, and that was what I was provided. Yes, we found an issue – we basically have to install the certificate on the end-user pc… but at least the ‘renewal’ went smoothly – and the installed certificates updated themselves…. thankfully!

  24. Ken S Says:

    I’m trying this for the second time…we had to do this in 2008, and it worked okay. We now have two certificates which are expiring again after the 5-year window (that we didn’t know we could circumvent). Does this work two times in a row?

    I keep getting an error when using renewcert with the parameters exactly as described. The error I receive is not in the command line, but in Visual Studio: when attempting the ClickOnce publish, it fails with the following error: “certificate is not valid for signing”. I’m basically at a loss at this point, especially since I have another program I’ve been asked to handle, which has this same problem (expires on Mar. 20). Any ideas? Thanks in advance!

    • robindotnet Says:

      I would be sure to name the new version of the certificate with a different file name, and make sure you’re selecting the file when doing the signing in Visual Studio so you make sure you are getting the new certificate and not using the old one.

  25. Ken S Says:

    Well I kept trying some other actions:
    I tried using the original key as the first parameter – no joy, same error.
    I tried using the first extended key – no joy, same error.
    I tried setting the system time to a previous date where the keys would not already be expired – no joy, same error.
    While this is a great learning opportunity, I’ve pretty much run out of ideas. Any others? Thanks in advance.

    • robindotnet Says:

      Are you having a problem with RenewCert or with using the certificate in Visual Studio? Your other question seems to indicate having a problem using the certificate in VS.

  26. Nadir Talic Says:

    Great help, Thx!!!!

  27. Chris Says:

    I am getting the errors that sayantani got in an earlier post. The application has failed to start because its side-by-side configuration is incorrect.

    I have everything in the same folder (program and pfx files).

    I have Visual Studio 2008 with C++ installed. I’m on Windows 7. What else do I need to have to get it to work?

    Thanks,

    Chris

    • robindotnet Says:

      Can you please post specifically what errors you’re seeing? What version of the C++ runtime do you have installed?
      Robin

      • Chris Says:

        The error was:

        The application has failed to start because its side-by-side configuration is in
        correct. Please see the application event log or use the command-line sxstrace.exe tool for more detail.

        I have Microsoft Visual C++ 2005 Redistributable (8.0.59193) and Microsoft Visual C++ 2008 Redistributable – x64.9.0.30729.17 (9.0.30729) showing in my installed programs list. I also have Microsoft Windows SDK for Visual Studio 2008 (6.1.5294.17011) in the list.

        I have a clickOnce application with a key that just expired. I was hoping to extend the key so that I didn’t have to uninstall and re-install the program on all my user’s computers. The original developer is not working here, so I don’t think that I have the password for the key available any way. I might just have to create a new key and go ahead and do the uninstall/install.

        I am also moving the install directory to a new server, so an uninstall/install might be the best solution for me.

        Chris

  28. JP Says:

    life saver !
    thanks a lot.

  29. Tanúsítvány – új vagy megújítás | Asteriksz's Blog Says:

    […] adott programot, akkor ott ismét előkerülhet ez a kérdés (ez és ez is ilyenről szól, ott ez a […]

  30. Mido Says:

    I bought a certificate from “Go Daddy” which expired this moth. I extenden it with renewcert.exe as you explained in this article. The extended certificate has worked for WinForm but not for vsto (Word Add In). While installing the Word AddIn i get the message that the certificate is not trustworthily. How can i get it work for Wrord add In? Thanks

    • robindotnet Says:

      When you extend the certificate from GoDaddy, it is no longer from a valid publisher. For the certificate to come from a valid Certificate Authority, you have to pay for a renewal. You can use your extended not-from-a-CA certificate for Windows Forms and WPF applications, but you will find that it will come up and say “Unknown Publisher” when a customer installs the application. With Windows 8, the Smart Screen Filter will catch it, and your customer can select “more info” and then “run anyway”. Because of the security issues with Office add-ins, they have more stringent requirements, and you can not use a certificate that is not from a Certificate Authority; the only solution is to purchase a new one.

      • Mido Says:

        Thank you for your reply. Actually I got a new cerificate from GoDaddy that is valid for more 2 years.
        The new certificate is signed with a new signature algorithm called ‘sha256RSA’. I used the new certificate to sign my Office Solution. The propblem is I got a warning “Unknown publisher”. Although the certificate is from CA, the publisher can’t be recognised while installing the Word AddIn.
        The old expired cetificate I used to publish the Office Solution was singned with a different signature algorithm und it worked fine.
        We develop with Visual Studio 2013 and .NET 4. Can you please.tell me waht can I do.

        • robindotnet Says:

          It is good that you got a SHA256 cert instead of a 128 one. 128 is no longer used, and will be completely phased out pretty soon. If you import the certificate into your cert store, and then double-click on it and look at it, does it have you or your company as the publisher?

          • Mido Says:

            yes. when I select the certificate from the store I have my company as publisher and everything regarding the cerificate in Visual Studio is fine. Now I have a new problem that occurs on a test compouter. On that computer ist win7 and .NET 4 insatlled. The problem occurs while installing the Office Soltion:

            ” Exception reading manifest from http://…wordAddIn.vtso: The manifest may not be valid or the file could not be opened.”

            Any Idea? Thank you

          • Mido Says:

            typying error: the error message ist:

            ” Exception reading manifest from http://…wordAddIn.vsto: The manifest may not be valid or the file could not be opened.”

            vsto not vtso 🙂

  31. kgoods Says:

    Just wanted to pop in and say thanks for this post. Nice to get everything I needed in one place without spending an hour putting out the expired cert problem.

    Really concise and appreciated!

    Kind regards.

  32. William Domenz Says:

    Thank you for posting this – it has saved me!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: