ClickOnce Application,Expired Certificates & Public Key Token PART I

ClickOnce allows application updates, only if the updated application manifests are signed with the same certificate (publisher) as was used to originally sign the application manifests. However, most CA’s like Verisign, and many enterprise customers own CA’s generate new certificates with new key pairs and only the same common name (CN). The certificate is used for the Authenticode signature element and for the strong name signature element of the manifest file to protect it against tampering, and to provide identity information for the trust manager. If the signing certificate expires and you publish an application update with a renewed certificate which has different keys, then the update will fail with the error message described in the KB article.