[mssms] RE: Cert for SCUP

[Jason Sandys]

Actually no. SCUP is just requesting WSUS generate the self-signed cert so you 
do need to flip the registry value for this to work.

J

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Corkill, Daniel
Sent: Tuesday, June 6, 2017 6:02 PM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Cert for SCUP


No problem; appreciate the clarification. Don’t think it’ll be a problem anyway 
as long as WSUS still supports self-signed certs – the generation of the cert 
is handled by SCUP itself (as you know).

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys
Sent: Wednesday, 7 June 2017 7:08 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Cert for SCUP

Sorry, this meant to say I’ve never flipped the reg value in WSUS on server 
2016 – I’ve done it on Server 2012 R2 and it worked fine.

J

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys
Sent: Monday, June 5, 2017 8:10 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Cert for SCUP

It’s not to support self-signed certs, it’s to have WSUS be able to create one 
for you. It’s documented at 
https://blogs.technet.microsoft.com/wsus/2013/08/15/wsus-no-longer-issues-self-signed-certificates/.

I can’t say I’ve tried to flip the reg value on WSUS so I have no idea if it 
works there or not.

J

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Corkill, Daniel
Sent: Monday, June 5, 2017 7:03 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Cert for SCUP


Regarding the self-signed certs being deprecated by WSUS, I’m assuming this 
applies to WSUS 4.0+? We’re migrating our site server to Server 2016 over the 
weekend and use a self-signed certificate for SCUP. What reg value are you 
refering to that needs to be changed to support self-signed certs?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys
Sent: Friday, 2 June 2017 4:01 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Cert for SCUP

This isn’t really SCUP specific in any way. It’s just a code-signing cert used 
to sign the updates because WSUS requires this.

I’m assuming that you’re using the self-signed certificate created by WSUS, 
correct? If so, then to my knowledge no, there is no way to change this as this 
is deprecated functionality to begin with – that’s why you had to make the 
registry change to get it to work in the first place. You need to create your 
own code-signing cert from your own PKI or purchase one to customize it in any 
way.

Ultimately though, why does it matter? The cert is simply used to sign updates. 
Do you really care that this isn’t as secure as using a SHA2 cert? You’re not 
transmitting state secrets, you’re transmitting already public information.

And finally, the thumbprint hash algorithm is in no way a security issue. The 
thumbprint is simply a unique id calculated by hashing the cert itself. It 
provides no actual functionality other than to identify the cert.

J

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Wednesday, May 31, 2017 11:10 AM
To: 'mssms@lists.myitforum.com' 
<mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Cert for SCUP

I’ve gone through the install and config for SCUP, and I have it working, but I 
just noticed that the cert thumbprint is done with sha1.  The cert itself is 
sha256.  Is it difficult to replace this?  Is it possible for the SCUP cert to 
use sha2 for thumbprint?  Also, is it possible to add other details to the 
cert, such as SAN, friendly name, etc?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<http://saveourwater.com/>
SaveOurWater.com<http://saveourwater.com/> · 
Drought.CA.gov<http://drought.ca.gov/>


****************************************************************************
The contents of this email message and any attachments are intended only for 
the addressee and may be confidential, private or the subject of copyright. If 
you have received this email in error please notify Logan City Council, by 
replying to the sender or calling +61 7 3412 3412 and delete all copies of the 
e-mail and any attachments.

To view Logan City Council's Privacy Collection Notice, please visit 
www.logan.qld.gov.au<http://www.logan.qld.gov.au> or click on the following 
link http://www.logan.qld.gov.au/home/terms-of-use.



****************************************************************************
The contents of this email message and any attachments are intended only for 
the addressee and may be confidential, private or the subject of copyright. If 
you have received this email in error please notify Logan City Council, by 
replying to the sender or calling +61 7 3412 3412 and delete all copies of the 
e-mail and any attachments.

To view Logan City Council's Privacy Collection Notice, please visit 
www.logan.qld.gov.au<http://www.logan.qld.gov.au> or click on the following 
link http://www.logan.qld.gov.au/home/terms-of-use.