Recently having installed SCUP and set it up to publish updates using an internal CA I needed to deploy the custom certificate to all the client machines so that they will receive and install the updates correctly. It turns out that the place to install a “Trusted publisher” certificate is not where you would think.
- Open “Group Policy Manager”
- Under Computer Configuration – Windows Settings – Security Settings – Software Restriction Policies
- Right click and create a new SR policy if you haven’t got one already
- Under Additional rules right click and create new “Certificate rule”
- Click browse and select the exported certificate that is being used to sign the updates (.cer file)
- Change the “Security Level” to Unrestricted otherwise you will stop the computers running any programs!
- Exit out of the windows and that should be all.
Update 1 29/01/2013 – on Server 2012 / 2008 R2 you might get an additional dialogue:
Choose “No” as you don’t want to enforce the rules, just push the certificate out to client machines.
I should also point out that this article was written in 2008 using Server 2003 and I haven’t checked if there is a newer / better way to push out a certificate in newer versions of Windows…
Update 2 – Turns out in newer Group Policy you can deploy the certificate direct to the “Trusted publisher” certificate container see here.
Remember that if you are using a self signed certificate you need to push your stand-alone root into “Trusted Root Certificate Authorities” as well. I’ve not tested if this method works with down level clients like Windows XP