Sign in
 
Home2012Previous VersionsLibraryForumsGallery
System Center TechCenter > System Center Configuration Manager Forums > Configuration Manager 2007 Software Updates Management > SCUP Certificate

Answered SCUP Certificate

Answers

  • Friday, September 28, 2007 4:21 PM
    Owner
     
     Answered
    Sign In to Vote
    0
    Sign In to Vote

    SCUP just requires that the WSUS certificate is imported into two specific stores on each target client computer. It doesn't care how you get that cert there, just that you do. If you use PKI to do so, I assume that is fine, however that I am aware of, you do need the WSUS cert into both stores on the client:

     

    * Trusted Root Certificates

    * Trusted Publishers

     
  • Friday, September 28, 2007 6:19 PM
     
     Answered
    Sign In to Vote
    0
    Sign In to Vote

    OK, here is how you do it:

     

    Step 1. Click Start -> Run -> MMC

    Step 2. File -> Add/ Remove Snap-In -> Add -> Certificates

    Step 3. Choose Computer account -> Local Computer -> Add -> Close -> OK

    Step 4. Expand Certificates -> Expand Personal -> Click Certificates

    Step 5. Find the Certificate you created for your IIS WSUS Site and Right Click it -> All Tasks -> Export

    Step 6. Click Next -> Yes -> Next -> Next -> Create a Password -> Retype the Password -> Click Next -> Pick a location to save the file -> Next -> Finish

    Step 7. Open SCUP -> Click Settings -> Click Update Server Tab -> Click Browse -> Find Cert -> Click Create -> Enter Password

    Step 8.  Proceed to GPO Setup from help file.

     

    1. Open the Group Policy Object Editor Microsoft Management Console (MMC) snap-in with a user that has the appropriate security rights to configure Group Policy.

    3. Click Browse and select the domain, OU, or GPOs linked to the site where the configured Group Policy will propagate to the desired client computers. Click OK, click Finish, click Close, and then click OK.

    5. Expand the selected policy setting in the console tree, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

    6. In the results pane, right-click Allow signed content from intranet Microsoft update service location, click Properties, click Enabled, and then click OK.

     

All Replies

  • Friday, September 28, 2007 4:21 PM
    Owner
     
     Answered
    Sign In to Vote
    0
    Sign In to Vote

    SCUP just requires that the WSUS certificate is imported into two specific stores on each target client computer. It doesn't care how you get that cert there, just that you do. If you use PKI to do so, I assume that is fine, however that I am aware of, you do need the WSUS cert into both stores on the client:

     

    * Trusted Root Certificates

    * Trusted Publishers

     
  • Friday, September 28, 2007 6:19 PM
     
     Answered
    Sign In to Vote
    0
    Sign In to Vote

    OK, here is how you do it:

     

    Step 1. Click Start -> Run -> MMC

    Step 2. File -> Add/ Remove Snap-In -> Add -> Certificates

    Step 3. Choose Computer account -> Local Computer -> Add -> Close -> OK

    Step 4. Expand Certificates -> Expand Personal -> Click Certificates

    Step 5. Find the Certificate you created for your IIS WSUS Site and Right Click it -> All Tasks -> Export

    Step 6. Click Next -> Yes -> Next -> Next -> Create a Password -> Retype the Password -> Click Next -> Pick a location to save the file -> Next -> Finish

    Step 7. Open SCUP -> Click Settings -> Click Update Server Tab -> Click Browse -> Find Cert -> Click Create -> Enter Password

    Step 8.  Proceed to GPO Setup from help file.

     

    1. Open the Group Policy Object Editor Microsoft Management Console (MMC) snap-in with a user that has the appropriate security rights to configure Group Policy.

    3. Click Browse and select the domain, OU, or GPOs linked to the site where the configured Group Policy will propagate to the desired client computers. Click OK, click Finish, click Close, and then click OK.

    5. Expand the selected policy setting in the console tree, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

    6. In the results pane, right-click Allow signed content from intranet Microsoft update service location, click Properties, click Enabled, and then click OK.

     
  • Friday, January 30, 2009 10:44 PM
     
     
    Sign In to Vote
    0
    Sign In to Vote

    Description: The Most Secure Way to Provision System Center Update Publisher (SCUP) Certificates for Client Machines and the WSUS/SCUP Server.

    Supporting Article: http://social.technet.microsoft.com/forums/en-US/configmgrsum/thread/f53e8ee3-dfc9-4d4b-92e6-447546150853

    Notice the certificate that SCUP uses or will accept when configuring the certificate in SCUP in the Settings location within the console, SCUP will only accept .PFX Personal Information Exchange certificates. So this means that .CER certificates cannot be used with SCUP. If you use a certificate you configured for IIS and WSUS as the above article mentions, you have to export the certificate out to a .PFX certificate before SCUP will accept and can use it.

    Since this wasn't mentioned in documentation I, or I can't find it, members on my Team, and I'm sure others, was exporting the .CER type certificate. Which does not work or is accepted my the SCUP product.  

    So what should be known and what I've discovered is the following:

    Must use a .PFX Personal Information Exchange certificate when importing a Cert into SCUP under the Setting Option. Since this is a .PFX cert which holds the Public and Private Key, you do not want to deploy this type of certificate on client machines. This would be like giving out your login id and password to everyone that gets the certificate.

    What you want to do is export ONLY the Public Key portion of the PFX certificate, which then will be a .CER certificate built from the .PFX certificate and only has the Public Key. Then you can use Group Policy to deliver the certificate to clients.

    So I would see the steps as follows:

    On the WSUS/SCUP Server

    Step 1. Click Start -> Run -> MMC

    Step 2. File -> Add/ Remove Snap-In -> Add -> Certificates

    Step 3. Choose Computer account -> Local Computer -> Add -> Close -> OK

    Step 4. Expand Certificates (Local Computer) -> Expand WSUS -> Click Certificates

    Step 5. Find the Certificate you created for use WSUS/SCUP, or Find the Self Sinning certificate automatically created by SCUP, Right Click it -> All Tasks -> Export. Must be a .PFX certificate.

    Note and Remember: A .PFX Personal Information Exchange certificate holds the Public and Private Key. So 1. you don't want to deploy this type of certificate on client desktop computers. and 2. You do not need this type of certificate in the Trusted Publishers and Trusted Root Certification Authorities store. The .CER type certificate will work just find and does not have the Public Key associated with it.

    Step 6. Click Next -> No, do not export the private key -> Next -> Select Base-64 encoded X.509 (.CER) -> Provide a location to export the certificate to -> Next -> Finish, to export the certificate.

    Note: Base-64 encoded X.509 (.CER) is the highest encryption method that you can export to a (.CER) certificate.

    For Provisioning the Certificate on the WSUS/SCUP server.

    Step 7. Expand Certificates (Local Computer) -> Expand Trusted Publishers -> Click Certificates -> All Tasks -> Import -> Next -> Browse to the cert.CER file you just exported -> Next -> Ensure Place all certificates in the following store is selected. -> Next -> Finish, to complete importing the certificate.

    Step 8. Expand Certificates (Local Computer) -> Expand Trusted Root Certificate Authorities -> Click Certificates -> All Tasks -> Import -> Next -> Browse to the cert.CER file you just exported -> Next -> Ensure Place all certificates in the following store is selected. -> Next -> Finish, to complete importing the certificate.

    Now you only have Public Key in the "Trusted Root Certificate Authorities" and "Trusted Publishers" these stores.

    Note: When you Import your own .PFX cert or using the Self-Signing Cert SCUP creates in the WSUS\Certificate Store, You now only have the Public Key for this Cert in one location on the WSUS/SCUP server. This is the most secure way of configuring the SCUP certificate.

    Step 9. Perform Steps 7 and 8 to import the certificate manually on client machines. Or you can use Group Policy to deploy the cert.cer to client machines.

    Richard Dixon MSFT Sr Systems Engineer
     
  • Monday, October 05, 2009 2:46 PM
     
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi,

    I am not sure if this is a cert error but maybe Wally you can help me.

    When I set up SCUP I am using Dell and HP SCUP catalogs, and I want to refresh when I start SCUP.

    But all the time I get this error (I did not get this some time ago)

    DownloadSignature: ftp://ftp.dell.com/catalog/DellSDPCatalog.xml was downloaded successfully.
    CatalogSignature: Unable to deserialize using the signature file C:\Users\xarsagi\AppData\Local\Temp\2\tmp2B64.tmp, exception: There is an error in XML document (1, 2).
    Download Signature: Failed to Create From SignatureFile There is an error in XML document (1, 2).
    DownloadSignature: ftp://ftp.dell.com/catalog/DellSDPCatalog.cab was downloaded successfully.
    Hash matches for ftp://ftp.dell.com/catalog/DellSDPCatalog.cab. Catalog will not be added to changed list.

    Otherwise I can publish anything I want so I think this is not a cert issue....Also if I import manually it works.

    Thanks

    Robi
     
  • Monday, October 05, 2009 3:54 PM
     
     Proposed Answer
    Sign In to Vote
    0
    Sign In to Vote
    The log lines you are seeing "CatalogSignature: Unable to deserialize using the signature file C:\Users\xarsagi\AppData\Local\Temp\2\tmp2B64.tmp, exception: There is an error in XML document (1, 2)." is no issue.  It just means the DellSDPCatalog.xml file wasn't there (or wrong file).  Here is the process  SCUP uses to determine if the catalog has been updated since your last import.

    1. SCUP attempts to download signature file (<catalogname>.xml).
    1a. If signature file is missing (common if ISV does not post file along with catalog), SCUP will then download full catalog file.
    2. SCUP checks hash value in signature file (or catalog) to compare to last imported catalog.
    3. If hash values match then skips catalog and moves on to the next one to compare.
    4. If hash does not match then SCUP displays the catalog in the "Catalog Updates" dialog in the center pane under "Links and Resources"


    In your case the signature file is missing or it is not the real signature file.  SCUP then downloads the actual catalog cab file and checks it.  The "Hash matches ..." log entry just means the catalog you have imported is the same one that Dell currently has posted.

    Hope that helps.
    These postings are provided "AS IS" with no warranties, and confer no rights.
    • Proposed As Answer by Hakka0709 Tuesday, October 06, 2009 7:11 AM
    •  
     
  • Tuesday, October 06, 2009 7:11 AM
     
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi,

    Thanks a lot! You were right... the file was removed from HP and Dell (dont know why yet).

    Regards
    Robi
     
  • Tuesday, November 02, 2010 8:11 AM
     
     
    Sign In to Vote
    0
    Sign In to Vote

    I have done the abone thing and dont get the updates installed..

    I started with a self signed but then I ran intro issues with OSD so I thought let me use a pki certificate..

    I published them again using the command line tool.. and used resign on the updates..

    I see the following errors in wuahandler.log

    Failed to download updates to the WUAgent datastore. Error = 0x800b0004. WUAHandler 11/2/2010 8:41:08 AM 6416 (0x1910)
    Going to search using WSUS update source. WUAHandler 11/2/2010 8:41:08 AM 6416 (0x1910)
    Synchronous searching of all updates started... WUAHandler 11/2/2010 8:41:08 AM 6416 (0x1910)
    Successfully completed synchronous searching of updates. WUAHandler 11/2/2010 8:42:53 AM 6416 (0x1910)
    1. Update: 00004850-0000-0000-5350-000000045813, 1   BundledUpdates: 0 WUAHandler 11/2/2010 8:42:53 AM 6416 (0x1910)
    1. Update (Missing): Intel Active Client Manager HECI Device Driver for 7 [5.2.0.1008.A5] (00004850-0000-0000-5350-000000045813, 1) WUAHandler 11/2/2010 8:42:53 AM 6416 (0x1910)
    Failed to download updates to the WUAgent datastore. Error = 0x800b0004. WUAHandler 11/2/2010 8:42:53 AM 6416 (0x1910)

     
  • Thursday, January 06, 2011 10:39 PM
     
     
    Sign In to Vote
    0
    Sign In to Vote
    the thing that kept tripping us up was that we didnt want  to use a WSUS self-signed cert....we wanted to use our own CA, so we had to create a cert that could do EVERYTHING...we thought the code signing part of the cert was the most important....and after 6 hours of struggling....it finally worked creating a cert that did everything....
     
  • Friday, January 07, 2011 3:04 PM
     
     
    Sign In to Vote
    0
    Sign In to Vote

    Hi Pete,

    What have you particulary changed in a standard computer certificate template ?

    What I did was removing application policies, then I could install the updates on client but it still failes if it is run from the task sequence with:

    Failed to download updates to the WUAgent datastore. Error = 0x800b0109  a different error code.

    This happens ONLY when I try to push updates from task sequence.

    I am able to deploy the third party updates on the client if not in task sequence.

    It's frustrating :-(