At the Visual Studio 2017 lunch event here in Singapore I picked up a copy of the VS 2017 Enterprise offline installer files (16.2 GB).
I was told something about certificates I have to install but I ignored that and try to run the installer without an internet connection.
Lo and behold, it failed because it couldn't connect to the internet.
After installing the three *.p12 certificates in the layoutroot\certificates folder, it worked fine without trying to go online.
Well, I don't like to install random certificates into my machine, and looked into what they are:
Open the certificates MMC snapin and navigate to:
Console Root - Current User - Intermediate Certification Autorities - Certificates:
You should be able to see:
File : layoutRoot\certificates\manifestSignCertificates.p12
msc: : Microsoft Code Signing PCA 2011
Path : Cert:\currentuser\CA\F252E794FE438E35ACE6E53762C0A234A2C52135
Subject : CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File : layoutRoot\certificates\manifestCounterSignCertificates.p12
msc: : Microsoft Time-Stamp PCA 2010
Path : Cert:\currentuser\CA\2AA752FE64C49ABE82913C463529CF10FF2F04EE
Subject : CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File : layoutRoot\certificates\vs_installer_opc.SignCertificates.p12
msc: : Microsoft Code Signing PCA
Path : Cert:\currentuser\CA\3CAF9BA2DB5570CAF76942FF99101B993888E257
Subject : CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
All three are code signing related and are used by the installer to verify the digital signatures of the installation packages. Without these certs, they installer would have to go online to verify to check these certificates.
Because they don't have a key usage of Server Authentication they can not be used to act as a man in the middle for your TLS web traffic.
Furthermore, because they are only in the Cert store for the user who installed Visual Studio, they don't affect other users.
Visual Studio will run without them, so you could delete them, but you may need them if you want to add/remove VS features later while still offline.
Here's an example of some PowerShell I use to install VS 2017
$layoutDir = "X:\Software\vs2017offline"
$wlBase = "Microsoft.VisualStudio.Workload"
Import-PfxCertificate -FilePath "$layoutDir\certificates\manifestCounterSignCertificates.p12" -CertStoreLocation Cert:\currentuser\CA -Verbose
Import-PfxCertificate -FilePath "$layoutDir\certificates\manifestSignCertificates.p12" -CertStoreLocation Cert:\currentuser\CA -Verbose
Import-PfxCertificate -FilePath "$layoutDir\certificates\vs_installer_opc.SignCertificates.p12" -CertStoreLocation Cert:\currentuser\CA -Verbose
& $layoutDir\vs_enterprise__1481358475.1484949683.exe --norestart --add $wlBase.NetCoreTools --add $wlBase.NetWeb