The Most Secure Way to Provision SCUP Certificates for Client Machines and the WSUS/SCUP Server

  • Article

Description: The Most Secure Way to Provision System Center Update Publisher (SCUP) Certificates for Client Machines and the WSUS/SCUP Server.

Supporting Article: https://social.technet.microsoft.com/forums/en-US/configmgrsum/thread/f53e8ee3-dfc9-4d4b-92e6-447546150853

Notice the certificate that SCUP uses or will accept when configuring the certificate in SCUP in the Settings location within the console, SCUP will only accept .PFX Personal Information Exchange certificates. So this means that .CER certificates cannot be used with SCUP. If you use a certificate you configured for IIS and WSUS as the above article mentions, you have to export the certificate out to a .PFX certificate before SCUP will accept and can use it.

Since this wasn't mentioned in documentation I, or I can't find it, members on my Team, and I'm sure others, was exporting the .CER type certificate. Which does not work or is accepted my the SCUP product.  

So what should be known and what I've discovered is the following:

Must use a .PFX Personal Information Exchange certificate when importing a Cert into SCUP under the Setting Option. Since this is a .PFX cert which holds the Public and Private Key, you do not want to deploy this type of certificate on client machines. This would be like giving out your login id and password to everyone that gets the certificate.

What you want to do is export ONLY the Public Key portion of the PFX certificate, which then will be a .CER certificate built from the .PFX certificate and only has the Public Key. Then you can use Group Policy to deliver the certificate to clients.

So I would see the steps as follows:

On the WSUS/SCUP Server

Step 1. Click Start -> Run -> MMC

Step 2. File -> Add/ Remove Snap-In -> Add -> Certificates

Step 3. Choose Computer account -> Local Computer -> Add -> Close -> OK

Step 4. Expand Certificates (Local Computer) -> Expand WSUS -> Click Certificates

Step 5. Find the Certificate you created for use WSUS/SCUP, or Find the Self Sinning certificate automatically created by SCUP, Right Click it -> All Tasks -> Export. Must be a .PFX certificate.

Note and Remember: A .PFX Personal Information Exchange certificate holds the Public and Private Key. So 1. you don't want to deploy this type of certificate on client desktop computers. and 2. You do not need this type of certificate in the Trusted Publishers and Trusted Root Certification Authorities store. The .CER type certificate will work just find and does not have the Public Key associated with it.

Step 6. Click Next -> No, do not export the private key -> Next -> Select Base-64 encoded X.509 (.CER) -> Provide a location to export the certificate to -> Next -> Finish, to export the certificate.

Note: Base-64 encoded X.509 (.CER) is the highest encryption method that you can export to a (.CER) certificate.

For Provisioning the Certificate on the WSUS/SCUP server.

Step 7. Expand Certificates (Local Computer) -> Expand Trusted Publishers -> Click Certificates -> All Tasks -> Import -> Next -> Browse to the cert.CER file you just exported -> Next -> Ensure Place all certificates in the following store is selected. -> Next -> Finish, to complete importing the certificate.

Step 8. Expand Certificates (Local Computer) -> Expand Trusted Root Certificate Authorities -> Click Certificates -> All Tasks -> Import -> Next -> Browse to the cert.CER file you just exported -> Next -> Ensure Place all certificates in the following store is selected. -> Next -> Finish, to complete importing the certificate.

Now you only have Public Key in the "Trusted Root Certificate Authorities" and "Trusted Publishers" these stores.

Note: When you Import your own .PFX cert or using the Self-Signing Cert SCUP creates in the WSUS\Certificate Store, You now only have the Public Key for this Cert in one location on the WSUS/SCUP server. This is the most secure way of configuring the SCUP certificate.

Step 9. Perform Steps 7 and 8 to import the certificate manually on client machines. Or you can use Group Policy to deploy the cert.cer to client machines.