In many cases, when the certificate you use to sign your ClickOnce deployment expires, your customers have to uninstall and reinstall the application. This is the problem discussed in my MSDN article on Certification Expiration in ClickOnce Deployment.
Part of that article discusses the use of a program called RenewCert to extend your signing certificate, and tells you why you might want to do that. The following video shows you how.
The basic command looks like this:
RenewCert oldpfxfile newpfxfile CN=newName password-to-old-pfx-file
Let’s say I have a certificate called NightbirdPFX.pfx that has expired. If I want to create a new version with the same public/private key pair, I would use this command:
RenewCert NightbirdPFX.pfx NightbirdPFX5Yrs.pfx CN=”Nightbird 5 Yrs” MYpassw0rd
Now I can replace the old certificate with the new and publish an update, and the users will be able to pick up the update without having to uninstall and reinstall the application.
As noted in the GoldMail above, if you have a vendor certificate, it does change it to a test certificate. So if you still want to have a trusted deployment, you have to purchase a new certificate.
The compiled version of RenewCert that I used to extend my vendor certificate can be downloaded here. This requires the C runtime libraries from Visual Studio 2005 in order to run, so I have included those in the zip file as well.
I’d like to thank Cliff Stanford for taking the C++ code from MSDN and enhancing it so it works for both test certificates and vendor certificates. If you’re interested, the code and compiled binary can be found here.
If you want to read the original article in MSDN and/or see Microsoft’s code, you can find it here.
[Edit 7/7/2011 Move zip file to Azure blob storage]
RobinDotNet's Blog 
February 5, 2010 at 1:26 pm |
I gotta ask, simply because this whole certificate thing is such a hassle. Could one install a long-lasting self-created certificate onto users’ machines as part of the application’s install? If your installer installs the certificate your application is signed with, you wouldn’t need a certificate that expires (at least not for a long time). This would probably require administrator priviledges, but otherwise, is there anything prohibiting this?
February 28, 2010 at 7:32 pm |
No, there’s nothing keeping you from doing this. In fact, you can create your own certificate with a longer date range using MakeCert and just use it for deployment; you don’t have to install it on the customer’s machine. If you are going to install the certificate in the customer’s certificate store, it’s not a good idea to make it a long-lasting certificate. The reason for this is you can’t revoke the certificate. If someone obtained access to your certificate information, they could deploy malware to that customer’s machine as trusted software, and there’s nothing you could do about it. Plus, it would chain back to you.
Information on using MakeCert to make longlasting certificates and some information about revocation are discussed in my article about certificate expiration on MSDN, which is here.
Thanks,
Robin
February 10, 2010 at 10:44 am |
One problem with the test cert generated by Visual Studio that I didn’t see mentioned in your article is that they are tied to one computer. I found this out when I replaced my development workstation and tried to move the test certificate – the private key is not exportable, so you can’t.
February 13, 2010 at 12:41 am |
Actually, you are incorrect. You CAN move the test certificate generated by Visual Studio to another machine. When you create one, it adds a PFX file to your project. You just need to copy that file to the other machine and then select the file in the Signing tab. Of course, you have to be able to remember the key of your PFX file.
March 8, 2010 at 6:09 pm |
Not sure if I’m missing something..but…Is the 5yr renewal configurable? Can it be 2yrs or 3yrs or some other time frame in the calls to RenewCert.
If so, can you give an example.
March 8, 2010 at 6:25 pm |
Sorry, it’s not configurable — the author hardcoded the time frame. At the bottom of my blog entry, I’ve provided the link to the website where I got the binaries; he has posted the code. If you’re feeling the C++ love, you could download it and see if you can change it and build it. If you aren’t using a purchased certificate, you could try Microsoft’s version too. Good luck!
March 8, 2010 at 6:45 pm |
I spent a little time with Microsoft’s version and it didn’t seem to change the date at all. No error/affirmation was given when I ran the command line (I compiled the Microsoft RenewCert code using VS 2008). I will give this version a shot and hope I have better luck with it.
Thanks for the write up and the video
July 22, 2010 at 3:16 pm |
I opened the source and just changed line 107 certExpireDate.wYear += 5;
Changed mine to 30 years, guess you could easily make it a command line argument
July 22, 2010 at 3:47 pm |
I don’t recommend that you create a certificate that lasts for 30 years. There IS some risk involved because that certificate chains back to you. And will continue to chain back to you for 30 years. With a purchased cert, the Certificate Authority can revoke it, but you won’t have that privilege. If someone gets your certificate and signs their application as you, they can continue to have their application be valid for a really long time! That’s why the defaults in VS only last a year. Also note that if you do eventually upgrade to .NET 3.5 or .NET 4, the problem with changing the certificate goes away, and it won’t cause any problems when you issue an update with a new certificate. I’m glad the article helped you.
April 26, 2010 at 9:37 am |
This and the article on MSDN were the clearest pieces of writing I’ve seen in a long time. I, too, was faced with the expired certificate (which I had completely forgotten about) and the process you detailed worked perfectly. This saved me so much trouble I just had to say thanks. I will be putting your blog on my list too!
June 3, 2010 at 6:23 am |
I’m getting an error as saying: “pfximportcertstore failed with error 0x56 the specified network password is not correct”
June 4, 2010 at 1:07 am |
Can you be more specific? Where exactly are you getting that error? Which step are you running?
June 4, 2010 at 3:40 am |
I took a copy of *.pfx file and tried to renew it. Was following your visual presentation. Here is the copy of the commands I ran:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>cd C:\My_TechTools\DotNet\DotNetFx20SP2\RenewCertBinaries
C:\My_TechTools\DotNet\DotNetFx20SP2\RenewCertBinaries>RenewCert.exe EquityBroke
r32_TemporaryKey.pfx EquityBroker32_TemporaryKey_ext.pfx cn=”JKSB IT Ext. 5 Year
s” teak
PFXImportCertStore failed with error 0x56: The specified network password is not
correct.
Exiting
June 4, 2010 at 10:29 am |
Are you sure you are using the right password for the current pfx file?
June 14, 2010 at 4:11 am
I have forgotten the password I assigned initially, where not realizing that there would be an expiry to be hit on me. In such event is there anyway to retrieve the forgotten password? Thanks
June 14, 2010 at 10:07 am
I’m sorry, but there’s no way to do that — it would be a huge security breach. If that was possible, someone would be able to retrieve your password and use your certificate to sign their deployments, and issue spamware in your name. That’s also why you can’t extend the certificate without the password.
February 12, 2014 at 12:25 pm
I had the same problem with the password when I tried to run it from a batch file. When I typed manually in the DOS box, it worked, or at least it created the file.
March 9, 2014 at 7:36 pm
@CWire: You probably shouldn’t save your key password in a .bat file, but two things that might help you:
1. If your password contains Unicode characters you should ensure that your batch file is saved in a Unicode-compatible encoding. i.e.: If you create and save a file using Windows Notepad it defaults to ANSI encoding, try going to File-Save as… and change the Encoding to UTF-8.
2. You’ll have difficulties if your password contains special shell characters such as , |, % or ^. Try a Google search for “.bat file escape characters”
July 30, 2010 at 8:55 am |
This is actually a comment on your MSDN Certificate Expiration article. For the programmatic uninstall/reinstall, has anyone submitted a quick fix to make sure the radio button in the Maintenance dialog is set to “Remove” instead of “Restore”? “Restore” is what it defaulted to for me — and that obviously causes a problem. 🙂
July 30, 2010 at 9:00 am |
Never mind — power of the post strikes again. Just make the uninstall version the minimum required version.
July 30, 2010 at 9:05 am |
I was going to say that, but you beat me to it. 🙂
September 10, 2010 at 9:25 am |
Thank you very much. You are a lifesaver.
November 5, 2010 at 12:39 pm |
renewcert a2010.pfx b2010.pfx CN=”seemajee 5 yrs” seemajee
CryptAcquireCertificatePrivateKey failed with error 0x8009200b: Cannot find the
certificate and private key for decryption.
Exiting
pls tell what error
November 28, 2010 at 3:06 am |
Are you running that from the command line, and you are sitting in the same folder as renewcert.exe and the pfx file?
May 9, 2012 at 7:34 am |
I too am getting the same error and the .pfx file is in the same folder. I even added the .pvk file to the folder, but it doesn’t help.
May 9, 2012 at 8:55 am |
I figured it out. You can’t just copy or drag the .pfx and .pvk files to the folder where RenewCert was extracted. You have to either:
a) Export the expired certificate to the extracted RenewCert folder (I did this using IE)
or
b) Place renewcert.exe and the runtime folder into the folder in VS where the expired deployed certificate resides and run RenewCert from there.
December 3, 2010 at 6:27 am |
Hi Robin. I’m also getting “CryptAcquireCertificatePrivateKey failed with error 0x8009200b: Cannot find the certificate and private key for decryption.”
Everything is in the same directory.
January 11, 2011 at 4:30 am |
Are you trying to run RenewCert on a pfx file? Is it a certificate purchased from a vendor or a test certificate? If it’s a test certificate, was it created with Visual Studio?
October 7, 2011 at 3:04 pm |
My certificate expired.i want to have a new certificate.i can’t even accept request
October 7, 2011 at 3:39 pm |
I’m not sure I understand. What do you mean by “can’t even accept request” ? Was your old certificate from a verifed Certificate Authority such as Verisign, or did you create it yourself with Visual Studio? If you created it yourself, you can just create a new one or extend the old one.
January 6, 2012 at 6:46 pm |
Thanks, this works for me :D…
January 10, 2012 at 12:00 am |
while trying to run the renewcert.exe i am getting an error like:
The application has failed to start because its side-by-side configuration is in
correct. Please see the application event log or use the command-line sxstrace.e
xe tool for more detail.
After tracing the error i found :
ERROR: Cannot resolve reference Microsoft.VC80.DebugCRT,processorArchitecture=”x86″,publicKeyToken=”1fc8b3b9a1e18e3b”,type=”win32″,version=”8.0.50727.762″.
ERROR: Activation Context generation failed.
I have installed the C++ redistributable for 2005,2005 SP1,2008,2008 SP1,2010 still the problem persists.
Please help me out
February 12, 2012 at 7:35 pm |
Have you managed to resolve this yet? Do you still need help?
February 1, 2012 at 3:07 pm |
>makecert -sv MakarioUK.pvk -n “cn=MakarioUK” MakarioUK.cer -b 01/01/2011 -e 01/01/2050 -r
February 12, 2012 at 8:36 pm |
That’s nice. If you want to create a certificate that lasts 40 years, that’s your prerogative. It’s a securiy issue if you’re going to use it on the internet, though, because once the user accepts it, anybody who uses your certificate for the next 40 years can deploy software with your information attached to it!
March 12, 2012 at 5:19 pm |
I get PFXImportCertStore failed with error 0x56: The specified network password is not
correct.
I know the password is correct, as I enter it successfully when opening the pfx file in VB2008.
Any suggestions? Command line I used was renewcert “key 1.pfx” “key 1 extended.pfx” password
March 12, 2012 at 5:21 pm |
ooh, sorry to double post but I can’t edit.
I went back to the top and read the syntax.. hehe it works fine!
Weird the program itself doesn’t tell you the correct syntax XD
May 1, 2012 at 10:10 pm |
Glad you got it to work!
Robin
March 27, 2012 at 7:37 pm |
You saved me! Thank you for this. ❤
April 22, 2012 at 7:04 pm |
[…] RenewCert verzió, ami nálam a C runtime library-kre hivatkozva elszállt, de szerencsére Robin Shahan blogjában találtam egy olyan változatot, ami mellett ott állnak a szükséges dll-ek is. Ezzel egy […]
April 22, 2012 at 7:19 pm |
[…] RenewCert verzió, ami nálam a C runtime library-kre hivatkozva elszállt, de szerencsére Robin Shahan blogjában találtam egy olyan változatot, ami mellett ott állnak a szükséges dll-ek is. Ezzel egy […]
November 24, 2012 at 7:07 pm |
HI, im trying to renew a certificate I use in a silverlight Out of browser application, I used the RenewCert to create the new version of the certificate and I installed it on the certificate store of my computer. I didn´t rebuild my silverlight application. Now I go to the webpage where my application is embedded and it seems that i do not recognize that I have I new certificate with a longer expiracy date. I checked the properties of the certificates and compared them. I realized that the serial number and the key signature is totally different. Is it possible to renew the certificate without changing the serial number and key signatures??? Please help, (sorry for my english)
January 7, 2013 at 3:30 pm |
I’m guessing you have to update the Silverlight application. Try rebuilding it (with the new certificate). I’m not really sure why you need to extend the certificate, as Silverlight doesn’t use ClickOnce, and I believe just needs a valid certificate in order to work?
November 27, 2012 at 11:49 am |
I have attempted to walk through this working through Visual Studio on a local workstation, then I build the application and copy the files out to an existing installation… is there something else involved to get this to work? Does the application need to be republished? Frustrated and would appreciate any help…
January 7, 2013 at 3:27 pm |
You can’t just copy the files out on top of an existing installation. You have to either publish a new version or create new manifests with Mage or MageUI with a new version number, and copy the new version to your deployment directory.
December 13, 2012 at 9:26 pm |
Great stuff! Thanks so much for this – I’ve been trying to use renewcert from Cliff without success due to the prerequisites. It turns out that having Visual Studio 2010 with C++ installed won’t do the job, however many redistributables you install. Your Microsoft.VC80.DebugCRT folder saved the day, and stopped me from going medieval on my keyboard. Thanks again!
January 7, 2013 at 3:23 pm |
I would hate for your keyboard — an innocent bystander — to be hurt. Next thing you know, it will get all resentful and stop sending the keys you press, so “hello” could be sent as “bite me”, which could seriously impact any communications you have with your upper management. So in the interest of your continued employment, I’m glad I was able to help. 😉
January 10, 2013 at 9:35 am |
I’m assuming most of the pain here is NOT VS2010 / dotNet 4.0 – because surely by now Microsoft has implemented the ‘correct’ certificate renewal strategy? seriously – when I renew the certificate from Thawte – it cannot be (their words) the same key pair. so – will this all ‘just work’ yet?
February 24, 2013 at 2:37 pm |
At the top of the article, there is a link to an MSDN article about certificate expiration that shows the cases where it works and doesn’t work. It is not a VS issue, it is a .NET Framework issue. It should be okay in .NET 4. I have to say, though, that I wouldn’t use a Thawte certificate for a VSTO application; Thawte has intermediate certificates and for VSTO applications, it is not recognized correctly.
February 25, 2013 at 8:25 am |
Thanks Robin. We were unaware of the issues with the Thawte certificates when we started this project… I asked my corp IT for a code signing certificate, and that was what I was provided. Yes, we found an issue – we basically have to install the certificate on the end-user pc… but at least the ‘renewal’ went smoothly – and the installed certificates updated themselves…. thankfully!
March 19, 2013 at 8:30 pm |
I’m trying this for the second time…we had to do this in 2008, and it worked okay. We now have two certificates which are expiring again after the 5-year window (that we didn’t know we could circumvent). Does this work two times in a row?
I keep getting an error when using renewcert with the parameters exactly as described. The error I receive is not in the command line, but in Visual Studio: when attempting the ClickOnce publish, it fails with the following error: “certificate is not valid for signing”. I’m basically at a loss at this point, especially since I have another program I’ve been asked to handle, which has this same problem (expires on Mar. 20). Any ideas? Thanks in advance!
April 6, 2013 at 4:51 pm |
I would be sure to name the new version of the certificate with a different file name, and make sure you’re selecting the file when doing the signing in Visual Studio so you make sure you are getting the new certificate and not using the old one.
March 19, 2013 at 8:41 pm |
Well I kept trying some other actions:
I tried using the original key as the first parameter – no joy, same error.
I tried using the first extended key – no joy, same error.
I tried setting the system time to a previous date where the keys would not already be expired – no joy, same error.
While this is a great learning opportunity, I’ve pretty much run out of ideas. Any others? Thanks in advance.
April 6, 2013 at 4:52 pm |
Are you having a problem with RenewCert or with using the certificate in Visual Studio? Your other question seems to indicate having a problem using the certificate in VS.
June 25, 2013 at 1:49 am |
Great help, Thx!!!!
October 3, 2013 at 4:16 pm |
I am getting the errors that sayantani got in an earlier post. The application has failed to start because its side-by-side configuration is incorrect.
I have everything in the same folder (program and pfx files).
I have Visual Studio 2008 with C++ installed. I’m on Windows 7. What else do I need to have to get it to work?
Thanks,
Chris
November 1, 2013 at 3:02 pm |
Can you please post specifically what errors you’re seeing? What version of the C++ runtime do you have installed?
Robin
November 1, 2013 at 4:01 pm |
The error was:
The application has failed to start because its side-by-side configuration is in
correct. Please see the application event log or use the command-line sxstrace.exe tool for more detail.
I have Microsoft Visual C++ 2005 Redistributable (8.0.59193) and Microsoft Visual C++ 2008 Redistributable – x64.9.0.30729.17 (9.0.30729) showing in my installed programs list. I also have Microsoft Windows SDK for Visual Studio 2008 (6.1.5294.17011) in the list.
I have a clickOnce application with a key that just expired. I was hoping to extend the key so that I didn’t have to uninstall and re-install the program on all my user’s computers. The original developer is not working here, so I don’t think that I have the password for the key available any way. I might just have to create a new key and go ahead and do the uninstall/install.
I am also moving the install directory to a new server, so an uninstall/install might be the best solution for me.
Chris
January 29, 2014 at 11:14 pm |
life saver !
thanks a lot.
March 24, 2014 at 12:27 am |
[…] adott programot, akkor ott ismét előkerülhet ez a kérdés (ez és ez is ilyenről szól, ott ez a […]
July 4, 2014 at 1:11 am |
I bought a certificate from “Go Daddy” which expired this moth. I extenden it with renewcert.exe as you explained in this article. The extended certificate has worked for WinForm but not for vsto (Word Add In). While installing the Word AddIn i get the message that the certificate is not trustworthily. How can i get it work for Wrord add In? Thanks
July 7, 2014 at 9:17 am |
When you extend the certificate from GoDaddy, it is no longer from a valid publisher. For the certificate to come from a valid Certificate Authority, you have to pay for a renewal. You can use your extended not-from-a-CA certificate for Windows Forms and WPF applications, but you will find that it will come up and say “Unknown Publisher” when a customer installs the application. With Windows 8, the Smart Screen Filter will catch it, and your customer can select “more info” and then “run anyway”. Because of the security issues with Office add-ins, they have more stringent requirements, and you can not use a certificate that is not from a Certificate Authority; the only solution is to purchase a new one.
July 8, 2014 at 3:23 am |
Thank you for your reply. Actually I got a new cerificate from GoDaddy that is valid for more 2 years.
The new certificate is signed with a new signature algorithm called ‘sha256RSA’. I used the new certificate to sign my Office Solution. The propblem is I got a warning “Unknown publisher”. Although the certificate is from CA, the publisher can’t be recognised while installing the Word AddIn.
The old expired cetificate I used to publish the Office Solution was singned with a different signature algorithm und it worked fine.
We develop with Visual Studio 2013 and .NET 4. Can you please.tell me waht can I do.
July 8, 2014 at 9:55 am |
It is good that you got a SHA256 cert instead of a 128 one. 128 is no longer used, and will be completely phased out pretty soon. If you import the certificate into your cert store, and then double-click on it and look at it, does it have you or your company as the publisher?
July 9, 2014 at 2:16 am
yes. when I select the certificate from the store I have my company as publisher and everything regarding the cerificate in Visual Studio is fine. Now I have a new problem that occurs on a test compouter. On that computer ist win7 and .NET 4 insatlled. The problem occurs while installing the Office Soltion:
” Exception reading manifest from http://…wordAddIn.vtso: The manifest may not be valid or the file could not be opened.”
Any Idea? Thank you
July 9, 2014 at 2:28 am
typying error: the error message ist:
” Exception reading manifest from http://…wordAddIn.vsto: The manifest may not be valid or the file could not be opened.”
vsto not vtso 🙂
August 12, 2014 at 12:56 pm |
Just wanted to pop in and say thanks for this post. Nice to get everything I needed in one place without spending an hour putting out the expired cert problem.
Really concise and appreciated!
Kind regards.
April 28, 2016 at 8:44 am |
Thank you for posting this – it has saved me!
May 1, 2016 at 11:16 am |
Glad I was able to help!
Robin