PKI Certificate for Third-Party Update Code-Signing in SCCM

[Justin Chalfant]

Overview

• In this video guide, we will cover how you can use a code-signing certificate from an Active Directly Certificate Services infrastructure or using a public certificate authority such as DigiCert for signing third-party software updates in Microsoft System Center Configuration Manager (SCCM). Using a trusted PKI based code-signing certificate can be an alternative to using a self-signed certificate.

Topics in Video

• Create the code-signing certificate templates needed for the WSUS singing feature - https://youtu.be/lqapp8j7CHk?t=34
• Issuing the certificate template for deployment - https://youtu.be/lqapp8j7CHk?t=188
• How to request the cert from a machine - https://youtu.be/lqapp8j7CHk?t=206
• Exporting the requested certificate to a PFX file - https://youtu.be/lqapp8j7CHk?t=280
• Review the Configuration Manager 1806 option to allow ConfigMgr to manage the WSUS certificate - https://youtu.be/lqapp8j7CHk?t=327
• Importing PFX file to WSUS using the publishing service - https://youtu.be/lqapp8j7CHk?t=394
• Sync the SUP and review wsyncmgr.log to verify ConfigMgr received the imported code-signing PFX certificate- https://youtu.be/lqapp8j7CHk?t=460
• Add catalog and publish a third-party update to verify the .CAB file is signed using the PFX certificate - https://youtu.be/lqapp8j7CHk?t=536
• Switch to use a third-party code-signing certificate from DigiCert - https://youtu.be/lqapp8j7CHk?t=670
• Verify SCCM switches from using the code-signing certificate from AD CS to DigiCert's code-signing certificate - https://youtu.be/lqapp8j7CHk?t=715

Helpful Resources:

• Publishing Service Download - https://patchmypc.com/publishing-service-setup-documentation
• System Center Updates Publisher Download - https://www.microsoft.com/en-us/download/details.aspx?id=55543
• Enable third-party updates - https://docs.microsoft.com/en-us/sccm/sum/deploy-use/third-party-software-updates
• Automatically manage the WSUS signing certificate - https://docs.microsoft.com/en-us/sccm/sum/deploy-use/third-party-software-updates#automatically-manage-the-wsus-signing-certificate
• Manually manage the WSUS signing certificate - https://docs.microsoft.com/en-us/sccm/sum/deploy-use/third-party-software-updates#manually-manage-the-wsus-signing-certificate
• Manually manage the WSUS signing certificate - https://patchmypc.com/publishing-service-setup-documentation

[RaslDasl]

What would be the reason to use a PKI cert rather than letting SCCM create and manage the cert?

[Justin Chalfant]

PKI is generally considered a little more best-practice since certs are issues from a trusted CA and can be more easily revoked. Here are some resources that may be helpful

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/self-signed-certificates-secure-so-why-ban/
https://en.wikipedia.org/wiki/Self-signed_certificate