Actually, I did create the cert through our PKI. I don't remember doing any reghack to make it work. That said, I agree with your statements. However, our department has been looking at all certs, and the fact that this one didn't have SAN, or a friendly name, raised some concern.
From: [email protected] [mailto:[email protected]] On Behalf Of Jason Sandys Sent: Thursday, June 01, 2017 11:01 AM To: [email protected] Subject: [mssms] RE: Cert for SCUP This isn't really SCUP specific in any way. It's just a code-signing cert used to sign the updates because WSUS requires this. I'm assuming that you're using the self-signed certificate created by WSUS, correct? If so, then to my knowledge no, there is no way to change this as this is deprecated functionality to begin with - that's why you had to make the registry change to get it to work in the first place. You need to create your own code-signing cert from your own PKI or purchase one to customize it in any way. Ultimately though, why does it matter? The cert is simply used to sign updates. Do you really care that this isn't as secure as using a SHA2 cert? You're not transmitting state secrets, you're transmitting already public information. And finally, the thumbprint hash algorithm is in no way a security issue. The thumbprint is simply a unique id calculated by hashing the cert itself. It provides no actual functionality other than to identify the cert. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Wednesday, May 31, 2017 11:10 AM To: '[email protected]' <[email protected]<mailto:[email protected]>> Subject: [mssms] Cert for SCUP I've gone through the install and config for SCUP, and I have it working, but I just noticed that the cert thumbprint is done with sha1. The cert itself is sha256. Is it difficult to replace this? Is it possible for the SCUP cert to use sha2 for thumbprint? Also, is it possible to add other details to the cert, such as SAN, friendly name, etc? Joe Heaton Information Technology Operations Branch Data and Technology Division CA Department of Fish and Wildlife 1700 9th Street, 3rd Floor Sacramento, CA 95811 Desk: (916) 323-1284 Every Californian should conserve water. Find out how at: [SaveOurWater_Logo]<http://saveourwater.com/> SaveOurWater.com<http://saveourwater.com/> * Drought.CA.gov<http://drought.ca.gov/>
