Deploying a Trusted Publishers Certificate through Group Policy

In System Center Updates Publisher, a digital certificate is used to sign the software update catalog before it can be published to the update server. For more information about configuring the update server and creating the certificate that is used to sign the updates catalog, see How to Configure the Update Server. For more information about configuring the signing certificate on the update server, see How to Configure the Digital Certificate on the Update Server.

On client computers, the Windows Update Agent (WUA) will scan for the updates from the catalog, but will fail to install the update unless it can locate the digital certificate in the Trusted Publishers store on the local computer. If a self-signed certificate was used when publishing the updates catalog, such as WSUS Publishers Self-signed, the certificate must also be in the Trusted Root Certification Authorities certificate store on the local computer to verify the validity of the certificate.

“Trusted Publishers Certificates” are certificates from certification authorities that are trusted by Software Restriction policies. "Software Restriction Policies" (SRP) are a way to describe what software you will, or won't, run. SRP allows you to add a "Certificate Rule", which states that "all code signed with this certificate is immediately allowed". Finally, a Certificate Rule for SRP can be applied through a Group Policy Object.
This functionality allows us to deploy a certificate and establish a trust to it to our entire domain using group policy.

Process Steps

Export the WSUS Certificate from the WSUS Server

  1. Click Start > Run and then in the Open box, type certmgr.msc
  2. Click OK
  3. Expand Trusted Publishers and click on Certificates
  4. In the details pane, right-click on WSUS Publishers Self-signed and select All Tasks > Export…
  5. In the Certificate Export Wizard, click Next, Next, Next
  6. Type the file name to use for saving the certificate (“wsus.cer” is used in this example).
  7. Click Next, then Finish
  8. Close the certmgr MMC console.

Create a Certificate Trust List

  1. Open Active Directory Sites and Services
  2. Right-click on your site name and select Properties
  3. Click on the Group Policy tab
  4. If “Default Domain Policy” appears in the list, go to step 6. Otherwise, click Add
  5. Select Default Domain Policy from the list of objects and click OK
  6. With Default Domain Policy selected, click Edit.
  7. In the Group Policy Object Editor, expand Windows Settings > Security Settings > Public Key Policies
  8. Right-click on Enterprise Trust and select New > Certificate Trust List
  9. In the Certificate Trust List Wizard, select the checkbox for Code Signing in the Designate purposes list, then click Next
  10. At the “Certificates in the CTL” page, click Add from File and select the WSUS certificate you exported earlier. Click Next.
  11. On the next page, click Select from Store and highlight the WSUS certificate and click OK.
  12. Click Next to accept the defaults on the “Timestamping” page
  13. Enter a name for the CTL (such as “WSUS” in the Friendly name box and click Next
  14. Click Finish to complete the wizard.

Create a Software Restriction Policy

  1. Within the Group Policy Object Editor, go to Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies
  2. If no policies are currently defined, right-click Software Restriction Policies and select New Software Restriction Policies
  3. In the details pane, right-click on Additional Rules and select New Certificate Rule…
  4. Click Browse, then select the certificate you exported from WSUS earlier.
  5. In the Security Level drop-down, select Unrestricted and click OK
  6. You should now see the “WSUS Publishers Self-signed” rule.

Applying Group Policy to Clients

  • Group policy should be applied at normal intervals to clients, and as they refresh their policies, these new security rules will become effective. Should you wish to cause the refresh to happen immediately, you can run the following from a command prompt or from Start > Run:
gpupdate /force


Last edited Feb 11, 2009 at 7:45 PM by rhearn, version 1

Comments

No comments yet.