First published on TECHNET on Jul 12, 2011
Special thank you goes out to Minfang Lv, our SCUP Lead Tester, who wrote this step by step guide to creating your own signing certificate.
System Center Update Publisher 2011 is an application that can be used with System Center Configuration Manager to deploy 3 rd party software updates: http://technet.microsoft.com/en-us/systemcenter/bb741049 .
To have the ability to publish updates to WSUS Server and deploy updates to Configuration Manager Clients, you need a signing certificate for System Center Update Publisher 2011. You can either generate a self-signed certificate through System Center Update Publisher 2011 UI or use a certificate from your own Public Key Infrastructure.
- Allow private key to be exported option enabled
- Key Usage set to digital signature
- Minimum key size is at least 2048
This following post will show you the step by step on how to create and deploy a System Center Update Publisher signing certification with Windows Server 2008 R2 certification authority (CA) and Group Policy.
Step 1: Creating and Issuing the Signing Certificate Template on the Certification Authority
- On the machine that running the Certification Authority, click Start , Programs , Administrative Tools , Certification Authority .
- Expand the name of your certification authority (CA), and then click Certificate Templates .
- Right-click Certificate Templates , and click Manage to load the Certificates Templates management console.
- In the results pane, right-click the entry that displays Code Signing in the Template Display Name column, and then click Duplicate Template . Select “Windows Server 2003 Enterprise” radio box and click OK .
- In the Properties of New Template dialog box, on the General tab, enter a template name for the site server signing certificate template, such as SCUPCodeSigning .
6. Click the Request Handling tab, and check Allow private key to be exported .
7. Click the Subject Name tab, and then click Build from this Active Directory information .
8. Click the Extensions tab, and make sure Key Usage has the Digital signature .
9. Click the Security tab, select Authenticated Users and grant it Read and Enroll permission.
10. Leave the other as default. Click
OK
and close the Certificate Templates administrator console.
11. In
Certification Authority
, right-click
Certificate Templates
, click
New
, and then click
Certificate Template to Issue.
12. In the
Enable Certificate Templates
dialog box, select the new template you have just created,
SCUPSigningCertificate
, and then click
OK
.
Step 2: Requesting the Signing Certificate
1. On a domain joined machine, in the search box, type
mmc.exe
, and then press
Enter
.
2. In the empty management console, click
File
, and then click
Add/Remove Snap-in
.
3. In the
Add or Remove Snap-ins
dialog box, select
Certificates
from the list of
Available snap-ins
, and then click
Add
.
4. In the
Certificate snap-in
dialog box, select
My user account
, and then click
Finish
.
5. In the
Add or Remove Snap-ins
dialog box, click
OK
.
6. In the console, expand
Certificates - Current User
, expand
Personal
and click
Certificates
7. Right click
Certificates
, and click
All Tasks
and
Request New Certificate…
8. Follow the Certificate Enrollment wizard to select the new created certificate template, set a friendly name in certificate properties and click
Enroll
:
9. After enroll succeed, you will find the new certificate under
Certificates - Current User
->
Personal
->
Certificates
.
10. Right click the certificate you just enrolled and click
All Tasks
->
Export
. Follow the export wizard to export the certificate without private key and save to scup.cer for Step 3.
11. Export the certificate again, and this time, select
Yes, export the private key
in the second page of
Certificate Export Wizard
, and save to SCUPCodeSign.pfx.
Step 3: Deploy the Signing Certificate through Group Policy
1. On the domain controller, click
Start
, click
Administrative Tools
, and then click
Group Policy Management
.
2. Navigate to your domain, right-click the domain, and then select
Create a GPO in this domain, and Link it here
.
Note: This step uses the best practice of creating a new Group Policy for custom settings rather than editing the Default Domain Policy that is installed with Active Directory Domain Services. By assigning this Group Policy at the domain level, you will apply it to all computers in the domain. However, on a production environment, you can restrict the deployment so that it applies on only selected computers by assigning the Group Policy at an organizational unit level.
3. In the
New GPO
dialog box, enter a name for the new Group Policy, such as
SCUP Signing Certificate
, and click
OK
.
4. In the results pane, on the
Linked Group Policy Objects
tab, right-click the new Group Policy, and then click
Edit
.
5. In the
Group Policy Management Editor
, expand
Policies
under
Computer Configuration
, and then navigate to
Windows Settings / Security Settings / Public Key Policies / Trusted Root Certificate Authorities
.
6. Click the
Action
menu, and then click
Import
. Follow the
Certificate Import Wizard
and import the scup.cert created in Step 2.
7. In the
Group Policy Management Editor
, expand
Policies
under
Computer Configuration
, and then navigate to
Windows Settings / Security Settings / Public Key Policies / Trusted Publisher
.
8. Click the
Action
menu, and then click
Import
. Follow the
Certificate Import Wizard
and import the scup.cert created in Step 2.
9. Close
Group Policy Management
.
Note: Import the scup.cer file, not the SCUPCodeSign.pfx file. It’s not safe to distribute the certificate with the private key to all client machines.
You need this to take effect on the WSUS Server to publish full content successfully. To make the policy applies immediately, you can run “gpupdate /force /target:Computer” on the WSUS Server.
Step 4: Using the Signing Certificate in System Center Update Publisher
1. Open System Center Update Publisher 2011 console.
2. Click
Menu icon
and click
Options
.
3. In the
System Center Updates Publisher Options Dialogue
, select
Update Server
.
4. Select
Browse
and select the SCUPCodeSign.pfx you created in Step2. Enter the password and click
OK
.
5. Click OK to close the System Center Updates Publisher Options Dialogue
Now you’re fine to publish updates through the System Center Update Publisher 2011 and deploy the clients through System Center Configuration Manager.
Note: The above example uses the Code Signing template whose Subject Type is User . If you use a template whose Subject Type is Machine , then in Step 2, you need to open the My computer (Local) Certificate Store to request enroll the certificate. Other steps are same.
Updated Oct 16, 2018
Version 2.0Jason Lewis
Microsoft
Joined October 16, 2018
Configuration Manager Archive
Follow this blog board to get notified when there's new activity