SCUP Certificate
I would rather use a cert from my PKI than a self-signed cert from my WSUS box. Do you have a doc similar to this one:
http://technet.microsoft.com/en-us/library/bb694035.aspx
for creating this certificate and importing it? The Doc's on this process in the .chm file and technet site dont consider if you want to use your own PKI.
Answers
SCUP just requires that the WSUS certificate is imported into two specific stores on each target client computer. It doesn't care how you get that cert there, just that you do. If you use PKI to do so, I assume that is fine, however that I am aware of, you do need the WSUS cert into both stores on the client:
* Trusted Root Certificates
* Trusted Publishers
OK, here is how you do it:
Step 1. Click Start -> Run -> MMC
Step 2. File -> Add/ Remove Snap-In -> Add -> Certificates
Step 3. Choose Computer account -> Local Computer -> Add -> Close -> OK
Step 4. Expand Certificates -> Expand Personal -> Click Certificates
Step 5. Find the Certificate you created for your IIS WSUS Site and Right Click it -> All Tasks -> Export
Step 6. Click Next -> Yes -> Next -> Next -> Create a Password -> Retype the Password -> Click Next -> Pick a location to save the file -> Next -> Finish
Step 7. Open SCUP -> Click Settings -> Click Update Server Tab -> Click Browse -> Find Cert -> Click Create -> Enter Password
Step 8. Proceed to GPO Setup from help file.
-
Open the Group Policy Object Editor Microsoft Management Console (MMC) snap-in with a user that has the appropriate security rights to configure Group Policy.
-
Click Browse and select the domain, OU, or GPOs linked to the site where the configured Group Policy will propagate to the desired client computers. Click OK, click Finish, click Close, and then click OK.
-
Expand the selected policy setting in the console tree, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
-
In the results pane, right-click Allow signed content from intranet Microsoft update service location, click Properties, click Enabled, and then click OK.
-
All Replies
SCUP just requires that the WSUS certificate is imported into two specific stores on each target client computer. It doesn't care how you get that cert there, just that you do. If you use PKI to do so, I assume that is fine, however that I am aware of, you do need the WSUS cert into both stores on the client:
* Trusted Root Certificates
* Trusted Publishers
OK, here is how you do it:
Step 1. Click Start -> Run -> MMC
Step 2. File -> Add/ Remove Snap-In -> Add -> Certificates
Step 3. Choose Computer account -> Local Computer -> Add -> Close -> OK
Step 4. Expand Certificates -> Expand Personal -> Click Certificates
Step 5. Find the Certificate you created for your IIS WSUS Site and Right Click it -> All Tasks -> Export
Step 6. Click Next -> Yes -> Next -> Next -> Create a Password -> Retype the Password -> Click Next -> Pick a location to save the file -> Next -> Finish
Step 7. Open SCUP -> Click Settings -> Click Update Server Tab -> Click Browse -> Find Cert -> Click Create -> Enter Password
Step 8. Proceed to GPO Setup from help file.
-
Open the Group Policy Object Editor Microsoft Management Console (MMC) snap-in with a user that has the appropriate security rights to configure Group Policy.
-
Click Browse and select the domain, OU, or GPOs linked to the site where the configured Group Policy will propagate to the desired client computers. Click OK, click Finish, click Close, and then click OK.
-
Expand the selected policy setting in the console tree, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
-
In the results pane, right-click Allow signed content from intranet Microsoft update service location, click Properties, click Enabled, and then click OK.
-
Description: The Most Secure Way to Provision System Center Update Publisher (SCUP) Certificates for Client Machines and the WSUS/SCUP Server.
Supporting Article: http://social.technet.microsoft.com/forums/en-US/configmgrsum/thread/f53e8ee3-dfc9-4d4b-92e6-447546150853
Notice the certificate that SCUP uses or will accept when configuring the certificate in SCUP in the Settings location within the console, SCUP will only accept .PFX Personal Information Exchange certificates. So this means that .CER certificates cannot be used with SCUP. If you use a certificate you configured for IIS and WSUS as the above article mentions, you have to export the certificate out to a .PFX certificate before SCUP will accept and can use it.
Since this wasn't mentioned in documentation I, or I can't find it, members on my Team, and I'm sure others, was exporting the .CER type certificate. Which does not work or is accepted my the SCUP product.
So what should be known and what I've discovered is the following:
Must use a .PFX Personal Information Exchange certificate when importing a Cert into SCUP under the Setting Option. Since this is a .PFX cert which holds the Public and Private Key, you do not want to deploy this type of certificate on client machines. This would be like giving out your login id and password to everyone that gets the certificate.
What you want to do is export ONLY the Public Key portion of the PFX certificate, which then will be a .CER certificate built from the .PFX certificate and only has the Public Key. Then you can use Group Policy to deliver the certificate to clients.
So I would see the steps as follows:
On the WSUS/SCUP Server
Step 1. Click Start -> Run -> MMC
Step 2. File -> Add/ Remove Snap-In -> Add -> Certificates
Step 3. Choose Computer account -> Local Computer -> Add -> Close -> OK
Step 4. Expand Certificates (Local Computer) -> Expand WSUS -> Click Certificates
Step 5. Find the Certificate you created for use WSUS/SCUP, or Find the Self Sinning certificate automatically created by SCUP, Right Click it -> All Tasks -> Export. Must be a .PFX certificate.
Note and Remember: A .PFX Personal Information Exchange certificate holds the Public and Private Key. So 1. you don't want to deploy this type of certificate on client desktop computers. and 2. You do not need this type of certificate in the Trusted Publishers and Trusted Root Certification Authorities store. The .CER type certificate will work just find and does not have the Public Key associated with it.
Step 6. Click Next -> No, do not export the private key -> Next -> Select Base-64 encoded X.509 (.CER) -> Provide a location to export the certificate to -> Next -> Finish, to export the certificate.
Note: Base-64 encoded X.509 (.CER) is the highest encryption method that you can export to a (.CER) certificate.
For Provisioning the Certificate on the WSUS/SCUP server.
Step 7. Expand Certificates (Local Computer) -> Expand Trusted Publishers -> Click Certificates -> All Tasks -> Import -> Next -> Browse to the cert.CER file you just exported -> Next -> Ensure Place all certificates in the following store is selected. -> Next -> Finish, to complete importing the certificate.
Step 8. Expand Certificates (Local Computer) -> Expand Trusted Root Certificate Authorities -> Click Certificates -> All Tasks -> Import -> Next -> Browse to the cert.CER file you just exported -> Next -> Ensure Place all certificates in the following store is selected. -> Next -> Finish, to complete importing the certificate.
Now you only have Public Key in the "Trusted Root Certificate Authorities" and "Trusted Publishers" these stores.
Note: When you Import your own .PFX cert or using the Self-Signing Cert SCUP creates in the WSUS\Certificate Store, You now only have the Public Key for this Cert in one location on the WSUS/SCUP server. This is the most secure way of configuring the SCUP certificate.
Step 9. Perform Steps 7 and 8 to import the certificate manually on client machines. Or you can use Group Policy to deploy the cert.cer to client machines.
Richard Dixon MSFT Sr Systems Engineer- Hi,
I am not sure if this is a cert error but maybe Wally you can help me.
When I set up SCUP I am using Dell and HP SCUP catalogs, and I want to refresh when I start SCUP.
But all the time I get this error (I did not get this some time ago)
DownloadSignature: ftp://ftp.dell.com/catalog/DellSDPCatalog.xml was downloaded successfully.
CatalogSignature: Unable to deserialize using the signature file C:\Users\xarsagi\AppData\Local\Temp\2\tmp2B64.tmp, exception: There is an error in XML document (1, 2).
Download Signature: Failed to Create From SignatureFile There is an error in XML document (1, 2).
DownloadSignature: ftp://ftp.dell.com/catalog/DellSDPCatalog.cab was downloaded successfully.
Hash matches for ftp://ftp.dell.com/catalog/DellSDPCatalog.cab. Catalog will not be added to changed list.
Otherwise I can publish anything I want so I think this is not a cert issue....Also if I import manually it works.
Thanks
Robi - The log lines you are seeing "CatalogSignature: Unable to deserialize using the signature file C:\Users\xarsagi\AppData\Local\Temp\2\tmp2B64.tmp, exception: There is an error in XML document (1, 2)." is no issue. It just means the DellSDPCatalog.xml file wasn't there (or wrong file). Here is the process SCUP uses to determine if the catalog has been updated since your last import.
1. SCUP attempts to download signature file (<catalogname>.xml).
1a. If signature file is missing (common if ISV does not post file along with catalog), SCUP will then download full catalog file.
2. SCUP checks hash value in signature file (or catalog) to compare to last imported catalog.
3. If hash values match then skips catalog and moves on to the next one to compare.
4. If hash does not match then SCUP displays the catalog in the "Catalog Updates" dialog in the center pane under "Links and Resources"
In your case the signature file is missing or it is not the real signature file. SCUP then downloads the actual catalog cab file and checks it. The "Hash matches ..." log entry just means the catalog you have imported is the same one that Dell currently has posted.
Hope that helps.
These postings are provided "AS IS" with no warranties, and confer no rights.- Proposed As Answer byHakka0709 Tuesday, October 06, 2009 7:11 AM
- Hi,
Thanks a lot! You were right... the file was removed from HP and Dell (dont know why yet).
Regards
Robi
