SCUP 2011 and WSUS for SCCM 2012 using Enterprise PKI
Ok, so my own searches have been fruitless thus far. I have my SCCM environment configured for HTTPS Only communications. I have my PKI environment deployed and seems to be working well for software distribution and I have now tested my Software Updates for Windows 7 and that worked accordingly. My WSUS however is currently still non-ecrypted since it is on the same server as SCCM and is working that way.
http://www.youtube.com/watch?v=fyEGWSFWyy0&noredirect=1
http://technet.microsoft.com/en-us/library/hh134775.aspx
Following the great video and Microsoft directions, I am trying to configure SCUP 2011 and am at the stage ofEnable publishing to an update server. The connection tests out fine (after adding my domain user to the 'WSUS Administrators' group). I then want to select a certificateSIGNED BY MY ENTERPRISE CA to use for the Publisher Signing. However, I can't find instructions for how or what to do to use my Enterprise CA. The instructions continually refer to a self signed certificate, not Enterprise CA, that we then need to force that self-signed out to the Enterprise Root and Trusted Publishers.
http://technet.microsoft.com/en-us/library/hh134732.aspx
Thanks for that Microsoft...again they indicate I can use an Enterprise CA by stating, "For certification authority (CA) issued certificates: Add the certificate to the Trusted Publishers certificate store." but do not provide links for what settings to use.
ALL THAT BEING SAID HERE IS WHAT I HAVE DONE SO FAR:
I went on to my Lab DC and opened the Ceritificate Authority and duplicated the "Code Signing" template (is this the right one?). I configured the Private key to be exportable, extended the timeframe to a few years, and configured security to only allow "ConfigMgr WSUS Servers" group (i created and added server to the group) to allow Enrolling. However, I can't seem to get it to show up. It appears "Code Signing" may be a user certificate? Is this right?
After allowing domain admins and enterprise admins to Enroll I can see the template when requesting a user certificate. It just doesn't seem like it should be a user certificate though. Where am I going wrong?
Once I get the right certificate do I still need to push it to "Trusted Publishers"? Seems like this should be automatic if the cerificate has been issued from the Enterprise CA.
Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.