Absolutely. As others have pointed out, the cert *must* have code signing abilities. There's more than one way to get there, but this is an immutable requirement.
Your cert requests need to be approved; i.e., the template you are using has the require approval attribute set. Thus, a cert enrollment admin must go in and approve the request. J From: [email protected] [mailto:[email protected]] On Behalf Of Kent, Mark Sent: Thursday, November 12, 2015 3:29 PM To: [email protected] Subject: [mssms] RE: SCUP OK but in the comments in that blog post (the first post) there are some reported issues and comments that the instructions are not correct. The very first link in this email thread points out that fact, and then says to use the instructions in Mike Schellenbergers blog (the second post). So you are saying that the instructions in Jason Lewis's blog should be the proper method? I'm trying to figure out where the disconnect is here. There seems to be a lot of back and forth as to what works and what is the proper method. Also, can you tell me why when I go through "Request New Certificate" that it ends up in my Certificate Enrollment Requests folder and not in my Personal folder? I don't create the certs, my PKI admin does, so I am wondering if something needs to be adjusted with the process that he has to follow. Mark Kent (MCP) Sr. Desktop Systems Engineer Computing & Technology Services - SUNY Buffalo State From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jason Sandys Sent: Thursday, November 12, 2015 4:11 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: SCUP The first post is correct. The second post simply creates a cert that can do anything - a super cert of sorts - very bad practice. The cert you create must have code signing as a capability. This can be set in a variety of ways including using a template that already has this configured. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kent, Mark Sent: Monday, November 9, 2015 11:03 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: SCUP This is where things get confused again. You said its "a Code Signing cert". Yet, in the link you provided, it says that the info mentioned in http://blogs.technet.com/b/jasonlewis/archive/2011/07/12/system-center-updates-publisher-signing-certificate-requirements-amp-step-by-step-guide.aspx (where it tells you to use a Code Signing cert) is not correct. Instead it says to follow https://mikeshellenberger.wordpress.com/2010/09/02/system-center-updates-publisher-microsoft-pki/ (where it tells you to use a Computer template). I had my cert guy follow the first blog, found some discrepancies, read the comments and was told that this blog was not correct. Then I read that the second blog is the more correct one. I just had my cert guy kill the first cert and make a new one following the second blog. Please don't tell me that this too is not correct? We are on SCCM 2012, Server 2012 (non R2) with WSUS 4.0. I have SCUP 2011 installed on the SCCM server. Mark Kent (MCP) Sr. Desktop Systems Engineer Computing & Technology Services - SUNY Buffalo State From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Nash Pherson Sent: Tuesday, November 3, 2015 6:39 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: SCUP No. It's a Code Signing certificate, not a client auth cert, used by WSUS/SCUP to sign the update. But, you can create a template in your PKI for issuing that Code Signing cert so that updates WSUS/SCUP signed with the cert will already be trusted by your clients. If you use a self-signed cert, it must be distributed to the trusted root and trusted publisher stores on all the devices. http://myitforum.com/myitforumwp/2012/08/20/a-better-guide-to-setting-up-scup-with-a-microsoft-pki/ I hope that helps, Nash Nash Pherson Microsoft MVP, Enterprise Client Management Senior Systems Consultant O: 651-796-1168 C: 507-304-0946 [Small Logo-PNG]<http://www.nowmicro.com/> 1645 Energy Park Drive Ste. 200 St. Paul, MN 55108 www.nowmicro.com<http://www.nowmicro.com/> From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Chian, Richard R Sent: Tuesday, November 3, 2015 3:08 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] SCUP My current environment: Config Manager 2012 SP1 with internal PKI infrastructure, we want to implement SCUP and would like to know if we can use the current machine's client authentication cert used by CM, instead of having to create a new CERT for SCUP and having to deploy it all clients? Appreciate the responses.
