As I am dabbling (drowning?) with a PKI and HTTPS. I thought it would be a jolly good idea to use a PKI generated certificate instead of the SCUP self-signed certificate. How wrong I was.
I created my template the usual way. I won’t reinvent the wheel here. If you need a guide on creating a template, I used this blog.
One thing I would add here, is that I did not give Authenticated Users Enrol. Quite why you would want every Tom, Dick and Harry with access to a Certificate that can be exported along with its full private key is beyond me, but then I do admit I am no expert.
Personally I feel this is elevating attack profiles… I gave Enrol to one user account, the account I would be requesting the certificate with.
This leads me to my next niggle. The certificate is a User Based certificate; as such it cannot be requested under the machine account context. This is important as it caused an issue for me later!
The final niggle is the way the certificate is displayed. Being user based, I had to request it with my user account. The certificate was entered into my Personal Store, stamped with my UPN. When exported, it seemed to retain to information. When I deployed the certificate to another PC and a different logon, yup, it appeared in the Trusted Publishers store using my original name.
I already have the stigma of being “the updates man” or perhaps more affectionately, “the man who breaks things with his updates every month”. I really do not want to further reinforce the association between myself and Software Updates.
It appears I was almost alone in my OCDesque compulsion, but I did find this TechNet post. Whilst I applaud the inventiveness, no effing way am I doing that dirty hack (lol). So I had a think… and as ever, the simplest solution came to me whilst I was anally interfacing with a toilet seat.
Create a user account with the desired name. Well herp derp, kinda obvious huh? So I ended up with this .CER in the Trusted Publisher store:
Great! Well not actually. I made the mistake of adding the certificates manually to the User’s Trusted Publisher, so all the SCUP updates failed to apply. After beating my head against a wall of “it’s a certificate issue”, I suddenly it was a certificate issue but just not quite the one(s) everyone else was getting. Presumably because everyone else wasn’t being one hundred percent dick and adding the certificate to the wrong context.
I popped the certificate into Trusted Publishers under the computer account context, and bizarrely it worked fine. Funny that.
I deployed the .CER via GPO to all domain PCs and manually added it to my WSUS servers; bear in mind that as this is a PKI certificate, it doesn’t need to be added to the Trusted Root Authority a la the self-signed certificate.
Don’t forget to add the .PFX file to SCUP.
One final note. I did come across some “better SCUP guides”, such as this one or this one where they advise to remove the Application Policies from the Certificate Template. These do seem to be older guides, and whilst they may have been appropriate for Config Manager 2007, you do not need to do this for Config Manager 2012. Needless to say, the thought of having an unlimited certificate, available to all authenticated users to be exported with a full private key seems like career suicide.
Leave the Application Policies alone – they help limit what the certificate can be used for 🙂