Blog Post

Configuration Manager Archive
5 MIN READ

System Center Updates Publisher Signing Certificate Requirements & Step-by-Step Guide

Jason Lewis's avatar
Jason Lewis
Icon for Microsoft rankMicrosoft
Oct 16, 2018
First published on TECHNET on Jul 12, 2011

Special thank you goes out to Minfang Lv, our SCUP Lead Tester, who wrote this step by step guide to creating your own signing certificate.

System Center Update Publisher 2011 is an application that can be used with System Center Configuration Manager to deploy 3 rd party software updates: http://technet.microsoft.com/en-us/systemcenter/bb741049 .

To have the ability to publish updates to WSUS Server and deploy updates to Configuration Manager Clients, you need a signing certificate for System Center Update Publisher 2011. You can either generate a self-signed certificate through System Center Update Publisher 2011 UI or use a certificate from your own Public Key Infrastructure.

The minimum requirements of System Center Update Publisher 2011 signing certificate are:
  1. Allow private key to be exported option enabled
  2. Key Usage set to digital signature
  3. Minimum key size is at least 2048

This following post will show you the step by step on how to create and deploy a System Center Update Publisher signing certification with Windows Server 2008 R2 certification authority (CA) and Group Policy.

Step 1: Creating and Issuing the Signing Certificate Template on the Certification Authority

  1. On the machine that running the Certification Authority, click Start , Programs , Administrative Tools , Certification Authority .
  2. Expand the name of your certification authority (CA), and then click Certificate Templates .
  3. Right-click Certificate Templates , and click Manage to load the Certificates Templates management console.
  4. In the results pane, right-click the entry that displays Code Signing in the Template Display Name column, and then click Duplicate Template . Select “Windows Server 2003 Enterprise” radio box and click OK .

  1. In the Properties of New Template dialog box, on the General tab, enter a template name for the site server signing certificate template, such as SCUPCodeSigning .

6. Click the Request Handling tab, and check Allow private key to be exported .

7. Click the Subject Name tab, and then click Build from this Active Directory information .

8. Click the Extensions tab, and make sure Key Usage has the Digital signature .

9. Click the Security tab, select Authenticated Users and grant it Read and Enroll permission.

10. Leave the other as default. Click OK and close the Certificate Templates administrator console.
11. In Certification Authority , right-click Certificate Templates , click New , and then click Certificate Template to Issue.
12. In the Enable Certificate Templates dialog box, select the new template you have just created, SCUPSigningCertificate , and then click OK .

Step 2: Requesting the Signing Certificate

1. On a domain joined machine, in the search box, type mmc.exe , and then press Enter .
2. In the empty management console, click File , and then click Add/Remove Snap-in .
3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins , and then click Add .
4. In the Certificate snap-in dialog box, select My user account , and then click Finish .
5. In the Add or Remove Snap-ins dialog box, click OK .
6. In the console, expand Certificates - Current User , expand Personal and click Certificates
7. Right click Certificates , and click All Tasks and Request New Certificate…
8. Follow the Certificate Enrollment wizard to select the new created certificate template, set a friendly name in certificate properties and click Enroll :

9. After enroll succeed, you will find the new certificate under Certificates - Current User -> Personal -> Certificates .
10. Right click the certificate you just enrolled and click All Tasks -> Export . Follow the export wizard to export the certificate without private key and save to scup.cer for Step 3.
11. Export the certificate again, and this time, select Yes, export the private key in the second page of Certificate Export Wizard , and save to SCUPCodeSign.pfx.

Step 3: Deploy the Signing Certificate through Group Policy

1. On the domain controller, click Start , click Administrative Tools , and then click Group Policy Management .
2. Navigate to your domain, right-click the domain, and then select Create a GPO in this domain, and Link it here .

Note: This step uses the best practice of creating a new Group Policy for custom settings rather than editing the Default Domain Policy that is installed with Active Directory Domain Services. By assigning this Group Policy at the domain level, you will apply it to all computers in the domain. However, on a production environment, you can restrict the deployment so that it applies on only selected computers by assigning the Group Policy at an organizational unit level.

3. In the New GPO dialog box, enter a name for the new Group Policy, such as SCUP Signing Certificate , and click OK .
4. In the results pane, on the Linked Group Policy Objects tab, right-click the new Group Policy, and then click Edit .
5. In the Group Policy Management Editor , expand Policies under Computer Configuration , and then navigate to Windows Settings / Security Settings / Public Key Policies / Trusted Root Certificate Authorities .
6. Click the Action menu, and then click Import . Follow the Certificate Import Wizard and import the scup.cert created in Step 2.
7. In the Group Policy Management Editor , expand Policies under Computer Configuration , and then navigate to Windows Settings / Security Settings / Public Key Policies / Trusted Publisher .
8. Click the Action menu, and then click Import . Follow the Certificate Import Wizard and import the scup.cert created in Step 2.
9. Close Group Policy Management .

Note: Import the scup.cer file, not the SCUPCodeSign.pfx file.  It’s not safe to distribute the certificate with the private key to all client machines.

You need this to take effect on the WSUS Server to publish full content successfully. To make the policy applies immediately, you can run “gpupdate /force /target:Computer” on the WSUS Server.

Step 4: Using the Signing Certificate in System Center Update Publisher

1. Open System Center Update Publisher 2011 console.
2. Click Menu icon and click Options .
3. In the System Center Updates Publisher Options Dialogue , select Update Server .
4. Select Browse and select the SCUPCodeSign.pfx you created in Step2. Enter the password and click OK .

5. Click OK to close the System Center Updates Publisher Options Dialogue

Now you’re fine to publish updates through the System Center Update Publisher 2011 and deploy the clients through System Center Configuration Manager.

Note: The above example uses the Code Signing template whose Subject Type is User . If you use a template whose Subject Type is Machine , then in Step 2, you need to open the My computer (Local) Certificate Store to request enroll the certificate. Other steps are same.

Updated Oct 16, 2018
Version 2.0