Manage Trusted Publishers

  • Article

Applies To: Windows Server 2008

Software signing is being used by a growing number of software publishers and application developers to verify that their applications come from a trusted source. However, many users do not understand or pay little attention to the signing certificates associated with applications that they install.

The policy options in the Trusted Publishers tab of the Certificate Path Validation policy allows administrators to control which certificates can be accepted as coming from a trusted publisher.

Administrators is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.

To configure the Trusted Publishers policy for a local computer

  1. Click Start, click Start Search, type mmc, and then press ENTER.

  2. On the File menu, click Add/Remove Snap-in.

  3. Under Available snap-ins, click Local Group Policy Object Editor, click Add, and then click Finish.

  4. If you have no more snap-ins to add to the console, click OK.

  5. In the console tree, go to Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  6. Double-click Certificate Path Validation Settings, and then click the Trusted Publishers tab.

  7. Select the Define these policy settings check box, implement the changes you want, and then click OK to apply the new settings.

Domain Administrators is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.

To configure the Trusted Publishers policy for a domain

  1. Open Server Manager, and under Features Summary, click Add Features. Select the Group Policy Management check box, click Next, and then click Install.

  2. After the Installation Results page shows that the installation of the Group Policy Management Console (GPMC) was successful, click Close.

  3. Click Start, point to Administrative Tools, and then click Group Policy Management.

  4. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

  5. Right-click the Default Domain Policy GPO, and then click Edit.

  6. In the GPMC, go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  7. Double-click Certificate Path Validation Settings, andthen click the Trusted Publishers tab.

  8. Select the Define these policy settings check box, implement the changes you want, and then click OK to apply the new settings.

Administrators is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.

To allow only administrators to manage certificates used for code signing for a local computer

  1. Click Start, click Start Search, type mmc, and then press ENTER.

  2. On the File menu, click Add/Remove Snap-in.

  3. Under Available snap-ins, click Local Group Policy Object Editor, click Add, and then click Finish.

  4. If you have no more snap-ins to add to the console, click OK.

  5. In the console tree, go to Default Domain Policy or Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  6. Double-click Certificate Path Validation Settings, and then click the Trusted Publishers tab.

  7. Select the Define these policy settings check box.

  8. Under Trusted publisher management, click Allow only all administrators to manage Trusted Publishers, and then click OK to apply the new settings.

Domain Administrators is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.

To allow only administrators to manage certificates used for code signing for a domain

  1. Open Server Manager, and under Features Summary, click Add Features. Select the Group Policy Management check box, click Next, and then click Install.

  2. After the Installation Results page shows that the installation of the GPMC was successful, click Close.

  3. Click Start, point to Administrative Tools, and then click Group Policy Management.

  4. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy GPO that you want to edit.

  5. Right-click the Default Domain Policy GPO, and then click Edit.

  6. In the GPMC, go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  7. Double-click Certificate Path Validation Settings, and then click the Trusted Publishers tab.

  8. Select the Define these policy settings check box, implement the changes you want, and then click OK to apply the new settings.

Additional considerations

  • Group Policy options can only be changed by an administrator.