LPM DeskTop Publishing Certificate Installation

Version 1

    Details

    Lumension Patch Manager DeskTop 2.1
    Lumension Patch Manager DeskTop 2.0

      Installing Certificates

     

       Step 1: Create and Issue a Signing Certificate Template

     
      
        Log on to your Certification Authority, and then create and issue a signing certificate template. You'll use this template later to export two different certificates.
         
         
    1.      Log on to your Certification Authority using Administrative credentials.
    2.    
    3.      Open the Certification Authority dialog.    
            Using either the start screen or the start menu, search for Certification Authority and open it.
         
    4.    
    5.      Expand the panel on the left to Certification Authority (local) > Server Name > Certificate Templates.
    6.    
    7.      Right-click Certificate Templates and select Manage.    

          
            Step Result: The Certificates Templates Console opens.
         
    8.    
    9.      In the main pane, right-click Code Signing and select Duplicate Template.   
    10.    
    11.      Select a compatibility setting. Select Windows Server 2008 Enterprise and click OK.    
             
      •        For Windows Server 2008, select Windows Server 2008 Enterprise from the dialog that opens.
      •      
      •        For Windows Server 2012, select Windows Server 2008 from the Certification Authority drop-down.
      •     
         
    12.    
    13.      Make sure the General tab is selected, and type a Template display name.    
            You can name it anything you want, but in our example, we're naming it SCUPCodeSigning.
         
    14.    
    15.      Select the Request Handling tab and verify that Allow private key to be exported is selected.   
    16.    
    17.      Select the Subject Name tab and verify that the Build from this Active Directory information option is selected.    
            Don't edit any of the other options.
         
    18.    
    19.      Select the Extensions tab and verify that the Key Usage extension includes Digital signature.    
            If it doesn't, click Edit and add it.
         
    20.    
    21.      Select the Security tab. Then select the Authenticated Users item and verify that it's configured to allow Read and Enroll permissions.   
    22.    
    23.      Click OK and then close the Certificate Templates Console dialog.
    24.    
    25.      From the certsrv dialog's left panel, select Certification Authority > Server Name > Certificate Templates.
    26.    
    27.      Right-click Certificate Templates and select New > Certificate Template to Issue.   
    28.    
    29.      Select the template you created and click OK.    
            Since we created SCUPCodeSigning earlier in our example, that's what we're selecting.
         
    30.    
    31.      Close the certsrv dialog.
    32.   
      
        Result: The certificate is created and issued.
     
     

       Step 2: Request the Signing Certificate

     
      
        After you've created a certificate using your Certificate Authority (CA), request it so that it can be exported.
      
         
    1.      Log on to any computer that is joined to your domain.
    2.    
    3.      Open Microsoft Management Console.    
            Using the start menu or the start screen, search for mmc.exe and open it.
         
    4.    
    5.      Add the Certificates snap-in.    
             
      1.        Select File > Add/Remove Snap-ins.      

             
      2.      
      3.        From the list on the left, select Certificates and then click Add to add it to the Selected snap-ins.
      4.      
      5.        Leave My user account selected and click Finish.
      6.      
      7.        Click OK.
      8.     
         
    6.    
    7.      Request the certificate that you created.    
             
      1.        From the panel on the left, select Certificates > Personal > Certificates.
      2.      
      3.        From the panel on the left, right-click Certificates and select All Tasks > Request New Certificate.      

              
                Step Result: The Certificate Enrollment dialog opens.
             
      4.      
      5.        Click Next until you've advanced to the Request Certificates page.
      6.      
      7.        Select the certificate you created and click Enroll.      
                In our example, we're selecting the SCUPCodeSigning certificate.
             
      8.      
      9.        Click Finish after the request completes.
      10.     
         
    8.    
    9.      Export the certificate as a .cer file.    
             
      1.        From the panel on the left, make sure Certificates > Personal > Certificates is selected.
      2.      
      3.        From the main panel, right-click the certificate you just enrolled and select All Tasks > Export.      
                You may need to scroll to the right to see the certificate name (SCUPCodeSigning in our example).

              
                Step Result: The Certificate Export Wizard opens.
             
      4.      
      5.        Click Next.
      6.      
      7.        Select No, do not export the private key.
      8.      
      9.        Leave the DER encoded binary X.509 (.CER) option selected and click Next.
      10.      
      11.        Enter a file name and path for where you want to save the exported certificate.      
                We're naming the exported certificate the same thing and saving it to the desktop: C:\Users\Administrator\Desktop\SCUPCodeSigning.cer
             
      12.      
      13.        Click Next, review the wizard details, and then click Finish. Click OK to confirm the export.
      14.     
         
    10.    
    11.      Export the certificate as a .pfx file.    
             
      1.        Right-click the certificate you enrolled again and select All Tasks > Export.      
                In our example, we're right-clicking that same SCUPCodeSigning certificate.
             
      2.      
      3.        Click Next.
      4.      
      5.        Select Yes, export the private key and click Next.
      6.      
      7.        Make sure Personal Information Exchange - PKCS #12 (.PFX) is selected and click Next.
      8.      
      9.        Type a Password, and then Type and confirm password (mandatory).      
                Select the Password checkbox if you're using Windows Server 2012.
             
      10.      
      11.        Enter a file name and path for where you want to save the exported certificate.      
                We're naming the exported certificate the same thing and saving it to the desktop (notice the different extension though): C:\Users\Administrator\Desktop\SCUPCodeSigning.pfx
             
      12.      
      13.        Click Next, review the wizard details, and then click Finish. Click OK to confirm the export.
      14.     
         
    12.    
    13.      Close the console.    
            When you close, you'll be asked if you want to save the snap-in. You don't have to because you already have the certificates you need, but it could make life easier if you ever have to redo this process in the future.
         
    14.   
      
        Result: The certificate has been exported in the required format.
      
       
         After Completing This Task:
       
         Copy the resulting .cer and .pfx certificates to a network share or thumb drive.
      
     
     

       Step 3: Deploy the Signing Certificate to Your Domain

     
      
        Now that you have a certificate, you must deploy it to your enterprise workstations using a Group Policy Object.
      
       
         Prerequisites:
       
         Move the CER certificate you created to the domain controller. Use a network share or a thumb drive.
      
      
         
    1.      Log on to your domain controller as a user with administrative access rights.
    2.    
    3.      Open the Group Policy Management dialog.    
            Using the start screen or start menu, search for group policy management and open it.
         
    4.    
    5.      From the panel on the left, right-click your domain and select Create a GPO in this domain, and Link it here.
    6.    
    7.      Name the GPO.    
            You can name it whatever you want, but we're naming ours SCUP Code Signing.
         
    8.    
    9.      Edit the Group Policy Object you just created.    
             
      1.        From the main pane, make sure the Linked Group Policy Objects tab is selected.
      2.      
      3.        Right-click your policy and make sure Enforced is selected.     
      4.      
      5.        From the main pane, right-click the policy and select Edit.      
                Step Result: The Group Policy Management Editor opens.
             
      6.     
         
    10.    
    11.      Import your .cer certificate into Trusted Root Certification Authorities.    
             
      1.        From the panel on the left, select Computer Configuration > Policies > Windows Setting > Security Settings > Public Key Policies > Trusted Root Certification Authorities.
      2.      
      3.        Right-click Trusted Root Certification Authorities and select Import.       
                Step Result: The Certificate Import Wizard opens.
             
      4.      
      5.        Click Next.
      6.      
      7.        Click Browse and navigate to the .cer certificate you exported earlier. Click Open.      
                In our example, we're navigating to the SCUPCodeSigning.cer certificate we created earlier.
             
      8.      
      9.        Click Next.
      10.      
      11.        Make sure Place all certificates in the following store is selected and click Next.
      12.      
      13.        Click Finish.
      14.      
      15.        Click OK and close the Group Policy Management Editor and the Group Policy Management dialog.
      16.     
         
    12.    
    13.      Import your .cer certificate into Trusted Publishers.    
             
      1.        From the panel on the left, select Computer Configuration > Policies > Windows Setting > Security Settings > Public Key Policies > Trusted Publishers.
      2.      
      3.        Right-click Trusted Publishers and select Import.       
                Step Result: The Certificate Import Wizard opens.
             
      4.      
      5.        Click Next.
      6.      
      7.        Click Browse and navigate to the .cer certificate you exported earlier. Click Open.      
                In our example, we're navigating to the SCUPCodeSigning.cer certificate we created earlier.
             
      8.      
      9.        Click Next.
      10.      
      11.        Make sure Place all certificates in the following store is selected and click Next.
      12.      
      13.        Click Finish.
      14.      
      15.        Click OK and close the Group Policy Management Editor and the Group Policy Management dialog.
      16.     
         
    14.    
    15.      Push out the group policy so that the WSUS Server has it before you install HEATsoftware Patch Manager DeskTop.    
            The HEATsoftware Patch Manager DeskTop installer checks for the certificates, and pushing out the policy ensures the certificate is there.
          
             
      1.        Open a command prompt.
      2.      
      3.        Enter the following command:      
                gpupdate /force
             
      4.      
      5.        Close the command prompt.
      6.     
         
    16.   
      
        Result: The certificate is added to the Group Policy Object. Your domain will receive the certificate when the GPO is pushed out.
     
     

       Step 4: Deploy the Signing Certificate to WSUS

     
      
        Finally, you must add the certificate to your Windows Server Update Services server.
      
       
         Prerequisites:
       
         Move the PFX certificate you created earlier to the WSUS server. Use a network share or a thumb drive.
      
      
        Complete this procedure from your WSUS server.
      
         
    1.      Log on to your WSUS Server as a user with administrative access rights.
    2.    
    3.      Open System Center Update Publisher.
    4.    
    5.      From the ribbon, select Options.    

          
            Step Result: The System Center Update Publisher Options dialog opens.
         
    6.    
    7.      From the Signing Certificate section, click the Browse button.
    8.    
    9.      Use the dialog controls to browse to the .pfx certificate you exported earlier. Click Open.    
            If there's already a certificate uploaded and you're replacing it, you'll have to dismiss a few notifications.
         
    10.    
    11.      Click Create and enter the password for the certificate. Read the message and click OK.    
            You'll see something similar to the picture below when you're done.
         
    12.    
    13.      From the System Center Updates Publisher Options, click OK.
    14.    
    15.      Close System Center Update Publisher.
    16.   
      
        Result: The certificate is uploaded to your System Center Configuration Manager server.