For me, the solution took 4 lines in the publish profile xml.

<AllowUntrustedCertificate>True</AllowUntrustedCertificate>
<UseMsDeployExe>true</UseMsDeployExe>
<UserName>myuser</UserName>
<Password>mypass</Password>

The UseMsDeployExe changes the error to ignore the certificate, but not authenticate the user, hence the need for the user and pass (of the machine you're deploying to)

No changes were needed in the powershell script.

I had <UsePowerShell>True</UsePowerShell> but it was still failing with the cert error.

• I re-entered my password in the settings dialog and it still failed
• Once I clicked on Validate Connection it started working.

Note

• VS 2017 (15.2)
• My password recently changed
• As a test, entered the wrong password and I got the cert error so the cert error is not just about an untrusted cert apparently

The option to allow untrusted certificates is not yet supported in the current tooling. Hopefully, this gets updated very soon. You can, however, set it manually.

1. Open the publish profile file (.pubxml) inside /Properties/PublishProfiles in a text editor
2. Inside the <PropertyGroup> element, set AllowUntrustedCertificate to True (<AllowUntrustedCertificate>True</AllowUntrustedCertificate>) or add it if it doesn't exist
3. Set UsePowerShell to False (<UsePowerShell>False</UsePowerShell>).

At this time of writing, the generated powershell script disregards the AllowUntrustedCertificate property which is probably a bug, hence, the need to set it to False.

You can get powershell to work if you update the module version in the .ps1 file.

As a side note, you can also get around this problem by "trusting" the server's certificate locally.

Yet another solution

I created publish settings on the remote IIS and imported them in Visual Studio 2017 (15.2). After that I changed the URL to specify the sitename as the IIS-user only has access to the specific site (thanks to this answer on SO). I've entered the credentials via the UI and there is no need to store the password in the profile.

My profile looks like:

<WebPublishMethod>MSDeploy</WebPublishMethod>
<LastUsedBuildConfiguration>Release</LastUsedBuildConfiguration>
<LastUsedPlatform>Any CPU</LastUsedPlatform>
<SiteUrlToLaunchAfterPublish>https://some.site.com:443/</SiteUrlToLaunchAfterPublish>
<LaunchSiteAfterPublish>True</LaunchSiteAfterPublish>
<ExcludeApp_Data>False</ExcludeApp_Data>
<PublishFramework>netcoreapp1.1</PublishFramework>
<ProjectGuid>eecf975e-f2e6-440f-bfd6-a0a63c25e3c3</ProjectGuid>
<MSDeployServiceURL>https://url.toourserver.com:8172/msdeploy.axd?site=some.site.com</MSDeployServiceURL>
<DeployIisAppPath>some.site.com</DeployIisAppPath>
<RemoteSitePhysicalPath />
<SkipExtraFilesOnServer>True</SkipExtraFilesOnServer>
<MSDeployPublishMethod>WMSVC</MSDeployPublishMethod>
<EnableMSDeployBackup>True</EnableMSDeployBackup>
<UserName>IISUserName</UserName>    
<AllowUntrustedCertificate>True</AllowUntrustedCertificate>    
<_SavePWD>True</_SavePWD>

<AllowUntrustedCertificate> was needed as the self signed certificate is not trusted on my machine.

With this profile a backup is made according to the settings in IIS, the site is updated and opened in my browser when the process is finished :-)

Although all the other answers here also made it work, I thought it would be nice to share this way as it involves only a few changes (AllowUntrustedCertificate) and no storage of plain passwords.

For dot net core 1.0 you have to add the tag

 <AllowUntrustedCertificate>True</AllowUntrustedCertificate>

to publishprofiles in your .pubxml file

After importing or creating profile click configure and then validate connection. Enter password and finish the setup. Now deploy.