ClickOnce signer's certificate not valid for signing when using makecert/pvk2pfx

Question

All of a sudden my unexpired certificate created using makecert/pvk2pfx is throwing an error when attempting to publish a ClickOnce application. This worked

Answer 1

I had a Visual Studio 2013 project that I could sign with a (Visual Studio-generated) pfx file, but that same certificate would not work using the SignTool, no matter what I did.

I then started making new certs using MakeCert and Pvk2Pfx, and that didn't work either. I tried changing the encryption from SHA1 to SHA512, changing the key length from 256 to 2048 (as suggested elsewhere), changing the version of SignTool, etc, etc.

I must have checked 1,000 different links containing "The Signer's Certificate Is Not Valid For Signing".

I'm summarizing the main things that will most likely fix the problem. This is all based on generating a new pfx file; the Visual Studio-generated one won't be usable.

1. Generate your .cer and .pvk files using MakeCert with the -len switch set to at least 1024 - or, better for future-proofing, 2048 - and the all-important -r switch which self-signs the certificate. I explicitly added an end date (using -e 12/31/2039) and SH256 encryption algorithm (-a SHA256). I suggest adding a password.
2. Generate your .pfx file from the .cer and .pvk files using Pvk2Pfx with the standard/default switches.
3. Use SignTool to sign the assembly, using -p {YourPassword} matching the MakeCert-provided password.