If a certificate is from a CA (e.g. GoDaddy, Verisign), does the certificate need to be installed on a client machine?
I have a SilverLight application that needs elevated privileges and will be installed on numerous client sites. I’m also trying to minimize the installation at each of the sites (100s of deployments per site with the application hosted locally at each site).
I believe the registry changes can be deployed via a group policy update.
If the certificate still needs to be deployed, is there a value of having a certificate from a CA over a self-signed application when the primary goal is minimizing local site administration?
Yes, if a certificate is from a CA, the certificate does need to be installed on the client machine. That said however, Microsoft does already install many root certificates as well as keeps this list up to date with Root Certificate updates. See the Root Certificate Membership List
GoDaddy and Verisign are currently apart of this list, so doing an extra step should be unnecessary on a computer which is up-to-date. This is not always the case, so it still might be required on some machines.
All that said, to run Silverlight in elevated privilege mode, the user must simply click that they ‘trust’ the application at install time. See MSDN Trusted Applications
Taking the time of getting a signature from a CA only buys your user’s a bit of extra peace of mind when the click the button as
They will see this:
Instead of:
If the goal is minimizing local site administration, then I don’t see that going through the trouble of getting a certificate to sign your application would meet that goal, its only there to help provide some security for your users, which doesn’t sound like it would be an issue.