none
SCUP 2011 and WSUS for SCCM 2012 using Enterprise PKI

    Question

  • SCUP 2011 and WSUS for SCCM 2012 using Enterprise PKI

    Ok, so my own searches have been fruitless thus far.  I have my SCCM environment configured for HTTPS Only communications.  I have my PKI environment deployed and seems to be working well for software distribution and I have now tested my Software Updates for Windows 7 and that worked accordingly.  My WSUS however is currently still non-ecrypted since it is on the same server as SCCM and is working that way.

    http://www.youtube.com/watch?v=fyEGWSFWyy0&noredirect=1
    http://technet.microsoft.com/en-us/library/hh134775.aspx

    Following the great video and Microsoft directions, I am trying to configure SCUP 2011 and am at the stage of Enable publishing to an update server.  The connection tests out fine (after adding my domain user to the 'WSUS Administrators' group).  I then want to select a certificate SIGNED BY MY ENTERPRISE CA to use for the Publisher Signing.  However, I can't find instructions for how or what to do to use my Enterprise CA.  The instructions continually refer to a self signed certificate, not Enterprise CA, that we then need to force that self-signed out to the Enterprise Root and Trusted Publishers.

    http://technet.microsoft.com/en-us/library/hh134732.aspx

    Thanks for that Microsoft...again they indicate I can use an Enterprise CA by stating, "For certification authority (CA) issued certificates: Add the certificate to the Trusted Publishers certificate store." but do not provide links for what settings to use.

    ALL THAT BEING SAID HERE IS WHAT I HAVE DONE SO FAR:

    I went on to my Lab DC and opened the Ceritificate Authority and duplicated the "Code Signing" template (is this the right one?).  I configured the Private key to be exportable, extended the timeframe to a few years, and configured security to only allow "ConfigMgr WSUS Servers" group (i created and added server to the group) to allow Enrolling.  However, I can't seem to get it to show up.  It appears "Code Signing" may be a user certificate?  Is this right?

    After allowing domain admins and enterprise admins to Enroll I can see the template when requesting a user certificate. It just doesn't seem like it should be a user certificate though. Where am I going wrong?

    Once I get the right certificate do I still need to push it to "Trusted Publishers"?  Seems like this should be automatic if the cerificate has been issued from the Enterprise CA.


    Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

    Friday, February 22, 2013 8:53 PM

All replies

  • Everytime I post here I find information I couldn't for hours...two minutes later.  I am going to try this:

    http://blogs.technet.com/b/jasonlewis/archive/2011/07/12/system-center-updates-publisher-signing-certificate-requirements-amp-step-by-step-guide.aspx


    Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

    Friday, February 22, 2013 9:01 PM
  • did you find what you were looking for.

    Kent Agerlund | My blogs: blog.coretech.dk/kea and SCUG.dk/ | Twitter: @Agerlund | Linkedin: Kent Agerlund | Mastering ConfigMgr 2012 The Fundamentals

    Monday, February 25, 2013 6:49 AM
  • Not entirely.  I tried using my Distribution Point certificate, because the site said it just needed "Digital Signature" key usage.  My DP cert had that although it has a warning exclamation point on key usage.  I wanted to use a computer certificate instead of user since the one created when you choose self-signed is also a computer certificate.  Also the website mentions the following which seems to tell me I can make a Computer one, but I don't know how:

    Note: The above example uses the Code Signing template whose Subject Type is User. If you use a template whose Subject Type is Machine, then in Step 2, you need to open the My computer (Local) Certificate Store to request enroll the certificate.

    When I tried this everything seemed to be fine when selecting the certificate, but when I tried to publish to WSUS it failed on the first of 9 records.  So for sake of troubleshooting, I switched to the self-signed and created the GPO to distribute the Root and Publisher cert locations.  This was able to publish to WSUS.  So now I see the updates (Flash/Reader) in SCCM and created the software group and distribution package.  I made two software groups and pointed them both to the same distribution package.  Is this ok?  I would think so. 

    I verified the machine has the self-signed cert in the computers proper locations.  As I think I mentioned, this test machine has already received regular windows updates via SCCM.  I then deploy as available to the collection with my test machine.  The machine does not see the updates.  It has been a few days plus multiple times forcing the Software Update checks in ConfigMgr control panel.  Does the software need to be installed for this to show the software being available?  I do not have any Flash or Reader versions installed.  That would be aggravating since it means it has been working...

    I do still want to go back and get my Enterprise PKI certificate working, but I just want to see it work first with default.

    Recapping questions from these paragraphs:

    1. How can I get a "Code Signing" template as a Computer certificate?
    2. Can two software update groups use the same Distribution Package?
    3. Does an older version of the software I'm trying to update (Flash/Reader) need to be installed for this to work, or can I utilize this to install a fresh copy on a machine that does not have the software at all?
    4. What logs are useful for determining what may be happening and on which machine are they located?


    Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

    Monday, February 25, 2013 11:24 AM
  • BUMP!

    It has been a few days and no replies...  Any answers or help here would be appreciated.


    Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

    Thursday, February 28, 2013 3:52 PM
  • Ok, so since no one else is replying...I have figured out so far...

    1. I still don't know.  Still need help with this.
    2. Yes, two software update groups can use the same Distibution Package.
    3. Yes, an older version of the software does need to be installed.  Also you must run a Software Inventory and then the Software Update tasks (to force the process).  At least that is what I have found.
    4. Still don't know what logs to look at.

    If someone could assist me with the following two remaining questions:

    1. How can I get a "Code Signing" certificate as a computer certificate instead of a user?
    2. Tips on using an Enterprise PKI certificate instead of the one SCUP self-signed.
    3. What logs are useful for troubleshooting the Software Update, SCUP, and Advertisements for Software Update?


    Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

    Thursday, February 28, 2013 10:00 PM
  • #1 and #2 are questions that should be asked in a AD related forum as PKI/certificates are external to ConfigMgr.
    #3: the same logs that are used for software updates: u*.log, ScanAgent.log, WUAHandler.log, WindowsUpdate.log.

    Torsten Meringer | http://www.mssccmfaq.de

    Friday, March 01, 2013 8:04 AM
    Moderator
  • Does this article answer your Question?

    http://blogs.technet.com/b/jasonlewis/archive/2011/07/12/system-center-updates-publisher-signing-certificate-requirements-amp-step-by-step-guide.aspx

    @jammad:  That is the exact same link I provided in my second post.  I do my best to detail what I have done to ensure as much information is available.  My third post says about what I have done with the article and what still was unclear.

    @All:  I put this project on hold for the start of the school year.  Now that things have calmed I am actively working this issue again.  Please any information that can be given may be of assistance.  THANKS!


    Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

    Friday, October 25, 2013 9:44 AM
  • Hi Chase,

    Did you find out a solution on your first question? I have the same issue/question and found your topic but still no answer on this. Seems that we are the only 2 guys on the planet having this problem ;-)

    Wednesday, September 17, 2014 8:13 AM
  • Michael140 I am assuming you're referring to the question, "How can I get a "Code Signing" certificate as a computer certificate instead of a user?"

    So the answer to that question is, "not really, but I have a work around".  I do have everything working that I can now publish and sign using my Enterprise PKI certificates. 

    1. I duplicated the default "Code Signing" template which is still for User and not Computer. 
    2. Modified it to act like an "Offline Request" by setting Private key exportable and Subject Name to Supply in Request.  This allowed me to name it "<Enterprise_Name> Trusted Publisher", instead of it automatically using the persons details that is requesting it.  I kept it generic as I can now use this to sign PowerShell scripts and have them trusted by domain computers in the end as well.
    3. Export the Certificate and Private key from your user certificates to PFX file.  This can now be loaded to SCUP as the signing certificate.
    4. Export the Certificate WITHOUT the private key and load into GPO so computers receive it as a Trusted Publisher.  Also be sure it is in the WSUS/SCCM servers as Trusted Publisher.
    5. So you could stop here as everything will work, but the work around I spoke of is that you can open MMC and load the Computer certificates snap-in.  Expand the Personal store for the computer and import the enterprise trusted publisher PFX file we exported earlier to the computer Personal store.  You now have the certificate we created as a User as a Computer certificate.

    From what I gather from watching other videos that manipulate the templates, but not directly relating to this, I imagine we could modify a template that is geared for computer and remove they key usages and add the proper usages like the code signing template, but once I was able to change the name of the User certificate that is really my biggest concern I didn't want it saying a particular user's name.  I wanted it to be something recognizable as our enterprise has signed it, especially in the case of other signed items like PowerShell scripts or apps.

    Hope this helps!


    Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

    Wednesday, September 17, 2014 10:25 AM