Configuration Manager with Jason Lewis

Blog to support the System Center Configuration Manager community.

System Center Updates Publisher Signing Certificate Requirements & Step-by-Step Guide

System Center Updates Publisher Signing Certificate Requirements & Step-by-Step Guide

  • Comments 23
  • Likes

Special thank you goes out to Minfang Lv, our SCUP Lead Tester, who wrote this step by step guide to creating your own signing certificate.


System Center Update Publisher 2011 is an application that can be used with System Center Configuration Manager to deploy 3rd party software updates: http://technet.microsoft.com/en-us/systemcenter/bb741049 .

To have the ability to publish updates to WSUS Server and deploy updates to Configuration Manager Clients, you need a signing certificate for System Center Update Publisher 2011. You can either generate a self-signed certificate through System Center Update Publisher 2011 UI or use a certificate from your own Public Key Infrastructure.

The minimum requirements of System Center Update Publisher 2011 signing certificate are:

  1. Allow private key to be exported option enabled

  2. Key Usage set to digital signature

  3. Minimum key size is at least 2048

This following post will show you the step by step on how to create and deploy a System Center Update Publisher signing certification with Windows Server 2008 R2 certification authority (CA) and Group Policy.

Step 1: Creating and Issuing the Signing Certificate Template on the Certification Authority

  1. On the machine that running the Certification Authority, click Start, Programs, Administrative Tools, Certification Authority.
  2. Expand the name of your certification authority (CA), and then click Certificate Templates.
  3. Right-click Certificate Templates, and click Manage to load the Certificates Templates management console.
  4. In the results pane, right-click the entry that displays Code Signing in the Template Display Name column, and then click Duplicate Template. Select “Windows Server 2003 Enterprise” radio box and click OK.

clip_image002

  1. In the Properties of New Template dialog box, on the General tab, enter a template name for the site server signing certificate template, such as SCUPCodeSigning.

clip_image004

6. Click the Request Handling tab, and check Allow private key to be exported.

clip_image006

7. Click the Subject Name tab, and then click Build from this Active Directory information.

clip_image008

8. Click the Extensions tab, and make sure Key Usage has the Digital signature.

clip_image010

9. Click the Security tab, select Authenticated Users and grant it Read and Enroll permission.

clip_image012

10. Leave the other as default. Click OK and close the Certificate Templates administrator console.
11. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
12. In the Enable Certificate Templates dialog box, select the new template you have just created, SCUPSigningCertificate, and then click OK.

Step 2: Requesting the Signing Certificate

1. On a domain joined machine, in the search box, type mmc.exe, and then press Enter.
2. In the empty management console, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.
4. In the Certificate snap-in dialog box, select My user account, and then click Finish.
5. In the Add or Remove Snap-ins dialog box, click OK.
6. In the console, expand Certificates - Current User, expand Personal and click Certificates
7. Right click Certificates, and click All Tasks and Request New Certificate…
8. Follow the Certificate Enrollment wizard to select the new created certificate template, set a friendly name in certificate properties and click Enroll:

clip_image014

9. After enroll succeed, you will find the new certificate under Certificates - Current User -> Personal -> Certificates.
10. Right click the certificate you just enrolled and click All Tasks -> Export. Follow the export wizard to export the certificate without private key and save to scup.cer for Step 3.
11. Export the certificate again, and this time, select Yes, export the private key in the second page of Certificate Export Wizard, and save to SCUPCodeSign.pfx.

clip_image015

Step 3: Deploy the Signing Certificate through Group Policy

1. On the domain controller, click Start, click Administrative Tools, and then click Group Policy Management.
2. Navigate to your domain, right-click the domain, and then select Create a GPO in this domain, and Link it here.

Note: This step uses the best practice of creating a new Group Policy for custom settings rather than editing the Default Domain Policy that is installed with Active Directory Domain Services. By assigning this Group Policy at the domain level, you will apply it to all computers in the domain. However, on a production environment, you can restrict the deployment so that it applies on only selected computers by assigning the Group Policy at an organizational unit level.

3. In the New GPO dialog box, enter a name for the new Group Policy, such as SCUP Signing Certificate, and click OK.
4. In the results pane, on the Linked Group Policy Objects tab, right-click the new Group Policy, and then click Edit.
5. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies / Trusted Root Certificate Authorities.
6. Click the Action menu, and then click Import. Follow the Certificate Import Wizard and import the scup.cert created in Step 2.
7. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies / Trusted Publisher.
8. Click the Action menu, and then click Import. Follow the Certificate Import Wizard and import the scup.cert created in Step 2.
9. Close Group Policy Management.

Note: Import the scup.cer file, not the SCUPCodeSign.pfx file.  It’s not safe to distribute the certificate with the private key to all client machines.

You need this to take effect on the WSUS Server to publish full content successfully. To make the policy applies immediately, you can run “gpupdate /force /target:Computer” on the WSUS Server.

Step 4: Using the Signing Certificate in System Center Update Publisher

1. Open System Center Update Publisher 2011 console.
2. Click Menu icon and click Options.
3. In the System Center Updates Publisher Options Dialogue, select Update Server.
4. Select Browse and select the SCUPCodeSign.pfx you created in Step2. Enter the password and click OK.

clip_image017

5. Click OK to close the System Center Updates Publisher Options Dialogue

Now you’re fine to publish updates through the System Center Update Publisher 2011 and deploy the clients through System Center Configuration Manager.

Note: The above example uses the Code Signing template whose Subject Type is User. If you use a template whose Subject Type is Machine, then in Step 2, you need to open the My computer (Local) Certificate Store to request enroll the certificate. Other steps are same.

Comments
  • Jason,

    Can i ask why this new certificate needs to be ditributed to all clients?  I assume its so the certificate is automatically trusted.  If I am generating the certificate on my Enterprise enabled PKI server then should it already be trusted and I dont need to import it to my clients you have outlined in Step 3.

  • Hi Jason

    I have installed Updates Publisher 2011 on a Windows 7 system. I have everything in place - just not the Certificate mentioned in "Step 4: Using the Signing Certificate in System Center Update Publisher". The Browse button is greyed out. Any idea why?

  • Gunnahafta,  

    The certificate needs to be trusted on all clients in order for WUA to perform the installation.  Part of that is to put it in the Trusted Publishers certificate store on all clients, this is a hard requirements.  If you are using your own PKI server you may not need to add it to the Trusted Root Certificate Authorities certicate store.

    Jan,

    The browse button is disabled as you are connected to a remote WSUS server without using SSL to connect.  If you are connecting to a remote WSUS Server and you want to register your own signing certificate, you must connect to that server over SSL or install SCUP on the WSUS server (local install).

    _Jason Lewis

  • Jason, Is there a reason on step 2 you requested a user certificate instead of a computer certificate in the example above? Can you use a computer certificate?

  • I'm also confused about why it must be a user certificate vs a computer certificate?

  • Thanks Jason for this great manual!

    I found a way to do this without creating a new certificate template, because this doesn't work on my Windows 2003 Standard Editon Server. I used the tool certreq on the CA server.

    - Create file wsus_publishers.inf (see end of my post)

    - Run these commands on CA server

    certreq -new wsus_publishers.inf wsus_publishers.reg

    certreq -submit wsus_publishers.reg wsus_publishers.cer

    certreq -accept wsus_publishers.cer

    - Export .pxf file with private key of the computers certificate store and import it into SCUP 2011

    - Deploy .crt/.cer file as Trusted Publisher via GPO

    >>>>>>>>>>>Begin wsus_publishers.inf------------------------------

    [Version]

    Signature="$Windows NT$

    [NewRequest]

    Subject = "CN=WSUS Publishers,OU=Hi,O=its,L=my,S=Domain,C=US"

    Requestername = "WSUS Publishers"

    KeySpec = 1

    KeyLength = 2048

    Exportable = TRUE

    MachineKeySet = TRUE

    SMIME = False

    RequestType = CMC

    UserProtected = FALSE

    UseExistingKeySet = FALSE

    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

    ProviderType = 12

    RequestType = PKCS10

    [RequestAttributes]

    CertificateTemplate=codeSigning

    >>>>>>>>>>>End wsus_publishers.inf------------------------------

    Regards

    Markus

  • I've used SCUP to create a WSUS Publishers Self-signed Cert in the SCUP Options. I now want to replace this with my PFX certificate but the Browse button is greyed out. If I choose "Create" it will take me through the steps to simply create a new WSUS Self-signed Cert. How do I replace the existing Self-Signed cert?

  • Hello,

    My SCUP is not running on the local Server, so i need a SSL connection between SCUP and WSUS - may somebody help me how to create a SSL connection between those both?

    Thank you for your Feedback :)

    Regards

    Florian

  • I'd suggest not adding the "Enroll" permission for Authenticated Users (Step 1, #9 above), and instead restrict it to administrators or a specific group.

  • I have to create a SSL between SCUP and WSUS (diff servers)..as well, the cert needs to incorporate code-signing for the downloaded patches.  Has anyone done this yet with a domain cert?  I am attempting to have the template created with "server auth" and "code signing" and then use it to do both.

    I can have documented screenshots when done, i just need to confirm this is the right path.

  • Hello Jason,

    I am 100% clear about step 2. On which server I need run MMC. I have SCCM 2007 SUP/WSUP point server - my WSUS has been configured with port 8530; I have installed SCUP 2011 on this server too. Therefore, I need run the MMC on this server; Am I right?

    My PKI root CA has been "published" into our AD domain such that it is one of Trusted Root Certification Authorities on all our computers. Do I still need deploy the certificate via GPO?

    Thanks.

  • Sorry typo. It should be "I am not 100% clear about step 2."

  • Hi SJJ123, For step 2 just a domain joined machine is needed to request the certificate for signing from the CA, the file you save will be imported in SCUP2011 in Step 4.  The SCUP certificate (public key only) just needs to be a "Trusted Publisher" (deployed via GPO usually - see step3.7) on all your machines since it was issued by your CA which you mention is already a trusted root CA on your machines.

    Hope this helps.

  • I am trying to perform step 3 on a Windows 2008 R2 server and it accepts the certificate in both places, however when GPUPDATE runs on the workstation it only downloads the certificate as a "Trusted Publisher" if you look at the GPO the certificate is in both places, however it only downloads to one.   This causes the updates to fail to install on my clients with an error code of 800B0109

  • this is an old thread but I'm going to ask this anyways. our SCUP had a hiccup where it cannot find the cert it needs to publish apps to sccm. I created a new cert in SCUP and put it in the sccm server's store. I was able to publish to SCCM successfully.

    Will this affect Microsoft and 3rd party updates from SCCM to the clients? I'm noticing my MS update lists are still working and everything else looks good.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment