Microsoft Configuration Manager and Intune (Enterprises/Paid) > Knowledge Base Articles

PKI Certificate for Third-Party Update Code-Signing in SCCM


Justin Chalfant:

* In this video guide, we will cover how you can use a code-signing certificate from an Active Directly Certificate Services infrastructure or using a public certificate authority such as DigiCert for signing third-party software updates in Microsoft System Center Configuration Manager (SCCM). Using a trusted PKI based code-signing certificate can be an alternative to using a self-signed certificate.Topics in Video
* Create the code-signing certificate templates needed for the WSUS singing feature -
* Issuing the certificate template for deployment -
* How to request the cert from a machine -
* Exporting the requested certificate to a PFX file -
* Review the Configuration Manager 1806 option to allow ConfigMgr to manage the WSUS certificate -
* Importing PFX file to WSUS using the publishing service -
* Sync the SUP and review wsyncmgr.log to verify ConfigMgr received the imported code-signing PFX certificate-
* Add catalog and publish a third-party update to verify the .CAB file is signed using the PFX certificate -
* Switch to use a third-party code-signing certificate from DigiCert -
* Verify SCCM switches from using the code-signing certificate from AD CS to DigiCert's code-signing certificate - Helpful Resources:
* Publishing Service Download -
* System Center Updates Publisher Download -
* Enable third-party updates -
* Automatically manage the WSUS signing certificate -
* Manually manage the WSUS signing certificate -
* Manually manage the WSUS signing certificate -

What would be the reason to use a PKI cert rather than letting SCCM create and manage the cert?

Justin Chalfant:
PKI is generally considered a little more best-practice since certs are issues from a trusted CA and can be more easily revoked. Here are some resources that may be helpful


[0] Message Index

Go to full version