How to Configure the Digital Certificate on Client Computers

In System Center Updates Publisher, a digital certificate is used to sign the software update catalog before it can be published to the update server. For more information about configuring the update server and creating the certificate that is used to sign the updates catalog, see How to Configure the Update Server. For more information about configuring the signing certificate on the update server, see How to Configure the Digital Certificate on the Update Server.

On client computers, the Windows Update Agent (WUA) will scan for the updates from the catalog, but will fail to install the update unless it can locate the digital certificate in the Trusted Publishers store on the local computer. If a self-signed certificate was used when publishing the updates catalog, such as WSUS Publishers Self-signed, the certificate must also be in the Trusted Root Certification Authorities certificate store on the local computer to verify the validity of the certificate.

There are several methods for configuring certificates on client computers, such as using Group Policy and the Certificate Import Wizard or by using the certutil utility and software distribution. Use one of the following procedures for the steps to configure the signing certificate on client computers.

To configure a self-signing certificate on client computers

  1. Click Start, click Run, type MMC in the text box, and then click OK to open the Microsoft Management Console (MMC).

  2. Click File, click Add/Remove Snap-in, click Add, click Certificates, click Add, select Computer account, and then click Next.

  3. Select Another computer, type the name of the update server or click Browse to find the update server computer, click Finish, click Close, and then click OK.

  4. Expand Certificates (update server name), expand WSUS, and then click Certificates.

  5. Right-click the certificate in the results pane, click All Tasks, and then click Export. Complete the Certificate Export Wizard using the default settings to create an export certificate file with the name and location specified in the wizard.

  6. Use a method to add the certificate used to sign the updates catalog to each client computer that will use WUA to scan for the updates in the catalog. Add the certificate on the client computer as follows:

    • For self-signed certificates: Add the certificate to the Trusted Root Certification Authorities and Trusted Publishers certificate stores.

    • For certification authority (CA) issued certificates: Add the certificate to the Trusted Publishers certificate store.

    Note

    The WUA also checks whether the Allow signed content from intranet Microsoft update service location Group Policy setting is enabled on the local computer. This policy setting must be enabled for WUA to scan for the updates that were created and published with Updates Publisher. For more information about enabling this Group Policy setting, see How to Configure Group Policy on Client Computers.

To deploy the WSUS self-signed certificate using software distribution and certutil.exe

  1. Export the WSUS Publishers Self-signed certificate and public key to a directory on the local computer.

  2. Copy the Certutil.exe and Certadm.dll files to the same directory as the exported files. Certutil.exe is a command-line program that is installed as part of Certificate Services in the Windows ServerĀ 2003 family and both files are installed in %windir%\system32, by default.

  3. Create a software distribution package containing the files from step 1 and step 2. For more information, see How to Create a Package (http://go.microsoft.com/fwlink/?LinkId=108444)

  4. Add a software distribution program that runs the following command-line: certutil.exe -addstore TrustedPublisher wsus.cer, where TrustedPublisher is the name of the certificate store and wsus.cer is the name of the exported certificate. For more information about creating a software distribution program, see How to Create a Program (http://go.microsoft.com/fwlink/?LinkId=108446). For more information about certutil.exe, see the Certutil Web site on TechNet (http://go.microsoft.com/fwlink/?LinkId=108447)

  5. Create an advertisement for distributing the package and program to the appropriate collection. For more information, see How to Create an Advertisement (http://go.microsoft.com/fwlink/?LinkId=108449).

See Also

Tasks

How to Configure Group Policy on Client Computers
How to Configure the Digital Certificate on the Update Server
How to Configure the Update Server

Concepts

Updates Publisher Administrator Checklist