How to Expand WSUS Updates: Code Signing Certificate

There are many different methods of deploying software updates and tools, but over the last few days I have found a scenario which has called for a little creative thinking as I have a special requirement to ensure that most (not all) of my domain joined machines are automatically deployed with the SCCM client. For various reasons I have chosen to address the solution for this scenario through the use of Windows Server Update Services (WSUS). This is the first in a series of posts on WSUS updates. In today’s post we’ll prepare the code signing certificate.

The process I will cover today is good for about any update you wish to deploy, but this particular article is focused on using a WSUS server only. I’m aware that SCCM has some far better functions and features for deploying updates, which are built upon the foundation of WSUS – I will come back to in a later series of posts, but for now, we will implement the solution with Core Services only.

System Center Update Publisher (SCUP)

Begin by downloading and installing the current release of the System Center Update Publisher application (at the time of writing this is still System Center Update Publisher 2011) to your management station. The package itself is only 5Mb in size, and the installation wizard only asks a single question (where should it place the installed files).

Launch the update publisher, and you will be quickly presented with its console. The purpose of the update publisher is to permit us to advertise additional updates and content to our systems via WSUS or Configuration Manager Update Services. We are going to leverage this functionality to learn just how easy and powerful it is, as we take a normal, MSI-based installation and work through the process of advertising this to our clients.

There are a number of distinct steps we will have to walk through to complete the process. Some of these are one-time-only steps, as we also need to prepare our environment to trust our updates are truly valid and authorized. These steps are:

  1. Sign updates using a code signing certificate
  2. Enable clients to trust and apply our updates
  3. Configure SCUP
    • Defining the Vendor and Product
    • Staging the Update
    • Packaging the Update
    • Publishing the Update
  4. WSUS Approvals
  5. Update Application Verification
  6. Troubleshooting

In this post we’ll get the code signing certificate prepared, and in two following posts we’ll work within the SCUP tool to package and publish the update. In the final post we will then ensure that the update is approved and applying to our target systems

WSUS Updates: Code Signing Certificate

In order to successfully deploy our internally published updates, we must make provisions for issuing and trusting a Code Signing certificate for the purpose.

The Code Signing certificate should preferably be created from your internal PKI. SCUP requires that your Code Signing certificate to be presented in a file format. It must contain both the public and private keys. It is important to note that the default Windows PKI Code Signing Certificate template does not permit any issued certificates to export their private keys. This is not suitable for our task, so your PKI administrator must create a new template permitting the private key to be exported. This new template should then be utilized for issuing your Code Signing certificate.

Once issued the cert should then be exported to a file for the next stages of the processes.

In the next post, we will take this new certificate, and distribute it to our clients so that they will trust it as a legal signing authority for software publications, and also use this certificate to sign the updates we will publish to WSUS.