Create_and_export_the_code_signing_certificate

When LUP first connects to a server it will load that server’s WSUS certificate info. If no certificate is found, you will be prompted to create or import one. If you have LUP create a certificate, WSUS will generate a self-signed certificate. If you have an existing certificate you would like to use, you can import it. If you use your own certificate, it must be appropriate for Code Signing.

Warning: As of this writing, the UI does not provide a way to change the certificate once you select one.

After the certificate is created, you will want to use the Tools/Certificate Info/Export Cert command in LUP to save the public key portion of this cert to a file. This key will need to be distributed to all machines that will be installing local updates. Even if you are using a certificate from a trusted authority (Verisign, etc), you must add this certificate to the Trusted Publishers certificate store.

Be aware that the certificate created by LUP is enabled for "All Purposes." The WSUS docs are silent about what specific permissions WSUS actually needs, but creating an "All Purposes" certificate, then installing that certificate in the trusted stores on every machine in your network means that you want to be very sure to protect the private key for that cert.

My own experimentation suggests that you can edit the exported public cert and turn off all of the purposes except “Code Signing,” and the cert will still work. However, I haven’t yet found any official source that says this is supported. If you want to remove "unneeded" purposes from the certificate, there are at least 2 different places you can do this.

• Use the Certificate snapin in mmc. After editing the certificate, you can export the changed certificate for use on the client machines.
• When adding the certificate to a GPO, you can edit the purposes.

To open the Certificate snapin:

• Run GPEdit.msc.
• Set "Computer Configuration/Administrative Templates/Windows Components/Windows Updates/Allow Signed Content from intranet Microsoft update service location" to Enabled. When connecting from a W7 or S2008 box, the text now reads "Allow Signed Updates" instead of "Allow Signed Content."
• Run MMC.
• Go to File/Add Remove Snapins.
• Choose “Certificates” and click Add.
• Choose “Computer Account” and click Next.
• Choose “Local Machine” and click Finish.
• Click Ok.
• Open “Certificates/Trusted Root Certification Authorities/Certificates.”
• Locate the “WSUS Publishers Self-signed” certificate and double click it.

To open the certificate in the GPO, see the GPO section in [Distribute_the_certificate_to_a_set_of_test_machines]

To edit the purposes in one of these places:

• Open the Certificate.
• Select the Details tab.
• Click Edit Properties.
• Click the radio button for "Enable only the following purposes."

• Clear the check marks for all the purposes except “Code Signing.”

  Previous step: [Download_and_install_the_LUP_binaries]
  Next step: [Distribute_the_certificate_to_the_server_and_a_set_of_test_machines]