System Center Updates Publisher Signing Certificate Requirements & Step-by-Step Guide

Special thank you goes out to Minfang Lv, our SCUP Lead Tester, who wrote this step by step guide to creating your own signing certificate.

System Center Update Publisher 2011 is an application that can be used with System Center Configuration Manager to deploy 3rd party software updates: .

To have the ability to publish updates to WSUS Server and deploy updates to Configuration Manager Clients, you need a signing certificate for System Center Update Publisher 2011. You can either generate a self-signed certificate through System Center Update Publisher 2011 UI or use a certificate from your own Public Key Infrastructure.

The minimum requirements of System Center Update Publisher 2011 signing certificate are:

  1. Allow private key to be exported option enabled

  2. Key Usage set to digital signature

  3. Minimum key size is at least 2048

This following post will show you the step by step on how to create and deploy a System Center Update Publisher signing certification with Windows Server 2008 R2 certification authority (CA) and Group Policy.

Step 1: Creating and Issuing the Signing Certificate Template on the Certification Authority

  1. On the machine that running the Certification Authority, click Start, Programs, Administrative Tools, Certification Authority.
  2. Expand the name of your certification authority (CA), and then click Certificate Templates.
  3. Right-click Certificate Templates, and click Manage to load the Certificates Templates management console.
  4. In the results pane, right-click the entry that displays Code Signing in the Template Display Name column, and then click Duplicate Template. Select “Windows Server 2003 Enterprise” radio box and click OK.


  1. In the Properties of New Template dialog box, on the General tab, enter a template name for the site server signing certificate template, such as SCUPCodeSigning.


6. Click the Request Handling tab, and check Allow private key to be exported.


7. Click the Subject Name tab, and then click Build from this Active Directory information.


8. Click the Extensions tab, and make sure Key Usage has the Digital signature.


9. Click the Security tab, select Authenticated Users and grant it Read and Enroll permission.


10. Leave the other as default. Click OK and close the Certificate Templates administrator console.
11. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
12. In the Enable Certificate Templates dialog box, select the new template you have just created, SCUPSigningCertificate, and then click OK.

Step 2: Requesting the Signing Certificate

1. On a domain joined machine, in the search box, type mmc.exe, and then press Enter.
2. In the empty management console, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.
4. In the Certificate snap-in dialog box, select My user account, and then click Finish.
5. In the Add or Remove Snap-ins dialog box, click OK.
6. In the console, expand Certificates - Current User, expand Personal and click Certificates
7. Right click Certificates, and click All Tasks and Request New Certificate…
8. Follow the Certificate Enrollment wizard to select the new created certificate template, set a friendly name in certificate properties and click Enroll:


9. After enroll succeed, you will find the new certificate under Certificates - Current User -> Personal -> Certificates.
10. Right click the certificate you just enrolled and click All Tasks -> Export. Follow the export wizard to export the certificate without private key and save to scup.cer for Step 3.
11. Export the certificate again, and this time, select Yes, export the private key in the second page of Certificate Export Wizard, and save to SCUPCodeSign.pfx.


Step 3: Deploy the Signing Certificate through Group Policy

1. On the domain controller, click Start, click Administrative Tools, and then click Group Policy Management.
2. Navigate to your domain, right-click the domain, and then select Create a GPO in this domain, and Link it here.

Note: This step uses the best practice of creating a new Group Policy for custom settings rather than editing the Default Domain Policy that is installed with Active Directory Domain Services. By assigning this Group Policy at the domain level, you will apply it to all computers in the domain. However, on a production environment, you can restrict the deployment so that it applies on only selected computers by assigning the Group Policy at an organizational unit level.

3. In the New GPO dialog box, enter a name for the new Group Policy, such as SCUP Signing Certificate, and click OK.
4. In the results pane, on the Linked Group Policy Objects tab, right-click the new Group Policy, and then click Edit.
5. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies / Trusted Root Certificate Authorities.
6. Click the Action menu, and then click Import. Follow the Certificate Import Wizard and import the scup.cert created in Step 2.
7. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies / Trusted Publisher.
8. Click the Action menu, and then click Import. Follow the Certificate Import Wizard and import the scup.cert created in Step 2.
9. Close Group Policy Management.

Note: Import the scup.cer file, not the SCUPCodeSign.pfx file.  It’s not safe to distribute the certificate with the private key to all client machines.

You need this to take effect on the WSUS Server to publish full content successfully. To make the policy applies immediately, you can run “gpupdate /force /target:Computer” on the WSUS Server.

Step 4: Using the Signing Certificate in System Center Update Publisher

1. Open System Center Update Publisher 2011 console.
2. Click Menu icon and click Options.
3. In the System Center Updates Publisher Options Dialogue, select Update Server.
4. Select Browse and select the SCUPCodeSign.pfx you created in Step2. Enter the password and click OK.


5. Click OK to close the System Center Updates Publisher Options Dialogue

Now you’re fine to publish updates through the System Center Update Publisher 2011 and deploy the clients through System Center Configuration Manager.

Note: The above example uses the Code Signing template whose Subject Type is User. If you use a template whose Subject Type is Machine, then in Step 2, you need to open the My computer (Local) Certificate Store to request enroll the certificate. Other steps are same.

Comments (28)
  1. Anonymous says:

    Sorry typo. It should be "I am not 100% clear about step 2."

  2. Anonymous says:

    Hello Jason,

    I am 100% clear about step 2. On which server I need run MMC. I have SCCM 2007 SUP/WSUP point server – my WSUS has been configured with port 8530; I have installed SCUP 2011 on this server too. Therefore, I need run the MMC on this server; Am I right?

    My PKI root CA has been "published" into our AD domain such that it is one of Trusted Root Certification Authorities on all our computers. Do I still need deploy the certificate via GPO?


  3. Anonymous says:

    So, couldn’t get this to work on 2008 R2 trying to publish to SCCM 2012 on the local machine. Would fail with 800b0004 error (actually decimal equiv 2148204548) complaining that File cert verification failed and Failed to verify signature and Operation Failed with Error: Verification of file signature failed for file and finally Publish: A fatal error occurred during publishing :Signature verification exception during publish.

    So, I re-worked the certs using the steps outlined on Mark Shellenberter’s blog (; difference being I deleted Code Signing from the Application Policies Extensionand I checked Publish in Active Directory which was unchecked in Jason’s instructions.

    THEN…it works!

    I started here, because…well…it’s Microsoft! I appreciate Jason’s efforts to help us out, but I really think this post should be corrected…would’ve saved me two days of hair pulling trying to get it to work.


  4. Anonymous says:

    Hey Guys, is there one for 2012 R2 (Looking for 2012 R2 version for SCUP) Thanks,

  5. atom_acres says:

    Thank you this was helpful. I am using SCUP 2011 and Server 2012 R2 and SCCM 2012 R2. I do not have a Cert authority in my test/dev environment so I used the registry workaround and it worked. I will try to use the CA option in prod. HKEY_LOCAL_MACHINESoftwareMicrosoftUpdate
    Create DWORD value: EnableSelfSignedCertificates = 1

  6. Gunnahafta,  

    The certificate needs to be trusted on all clients in order for WUA to perform the installation.  Part of that is to put it in the Trusted Publishers certificate store on all clients, this is a hard requirements.  If you are using your own PKI server you may not need to add it to the Trusted Root Certificate Authorities certicate store.


    The browse button is disabled as you are connected to a remote WSUS server without using SSL to connect.  If you are connecting to a remote WSUS Server and you want to register your own signing certificate, you must connect to that server over SSL or install SCUP on the WSUS server (local install).

    _Jason Lewis

  7. Anonymous says:


    Can i ask why this new certificate needs to be ditributed to all clients?  I assume its so the certificate is automatically trusted.  If I am generating the certificate on my Enterprise enabled PKI server then should it already be trusted and I dont need to import it to my clients you have outlined in Step 3.

  8. Jan Vangslev says:

    Hi Jason

    I have installed Updates Publisher 2011 on a Windows 7 system. I have everything in place – just not the Certificate mentioned in "Step 4: Using the Signing Certificate in System Center Update Publisher". The Browse button is greyed out. Any idea why?

  9. tony says:

    Jason, Is there a reason on step 2 you requested a user certificate instead of a computer certificate in the example above? Can you use a computer certificate?

  10. Computer Certificate vs User Certificate.... says:

    I'm also confused about why it must be a user certificate vs a computer certificate?

  11. markus says:

    Thanks Jason for this great manual!

    I found a way to do this without creating a new certificate template, because this doesn't work on my Windows 2003 Standard Editon Server. I used the tool certreq on the CA server.

    – Create file wsus_publishers.inf (see end of my post)

    – Run these commands on CA server

    certreq -new wsus_publishers.inf wsus_publishers.reg

    certreq -submit wsus_publishers.reg wsus_publishers.cer

    certreq -accept wsus_publishers.cer

    – Export .pxf file with private key of the computers certificate store and import it into SCUP 2011

    – Deploy .crt/.cer file as Trusted Publisher via GPO

    >>>>>>>>>>>Begin wsus_publishers.inf——————————


    Signature="$Windows NT$


    Subject = "CN=WSUS Publishers,OU=Hi,O=its,L=my,S=Domain,C=US"

    Requestername = "WSUS Publishers"

    KeySpec = 1

    KeyLength = 2048

    Exportable = TRUE

    MachineKeySet = TRUE

    SMIME = False

    RequestType = CMC

    UserProtected = FALSE

    UseExistingKeySet = FALSE

    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

    ProviderType = 12

    RequestType = PKCS10



    >>>>>>>>>>>End wsus_publishers.inf——————————



  12. OdgeUK says:

    I've used SCUP to create a WSUS Publishers Self-signed Cert in the SCUP Options. I now want to replace this with my PFX certificate but the Browse button is greyed out. If I choose "Create" it will take me through the steps to simply create a new WSUS Self-signed Cert. How do I replace the existing Self-Signed cert?

  13. florian says:


    My SCUP is not running on the local Server, so i need a SSL connection between SCUP and WSUS – may somebody help me how to create a SSL connection between those both?

    Thank you for your Feedback 🙂



  14. Steve Shockley says:

    I'd suggest not adding the "Enroll" permission for Authenticated Users (Step 1, #9 above), and instead restrict it to administrators or a specific group.

  15. Robert Manahan says:

    I have to create a SSL between SCUP and WSUS (diff servers) well, the cert needs to incorporate code-signing for the downloaded patches.  Has anyone done this yet with a domain cert?  I am attempting to have the template created with "server auth" and "code signing" and then use it to do both.

    I can have documented screenshots when done, i just need to confirm this is the right path.

  16. David Stewart says:

    Hi SJJ123, For step 2 just a domain joined machine is needed to request the certificate for signing from the CA, the file you save will be imported in SCUP2011 in Step 4.  The SCUP certificate (public key only) just needs to be a "Trusted Publisher" (deployed via GPO usually – see step3.7) on all your machines since it was issued by your CA which you mention is already a trusted root CA on your machines.

    Hope this helps.

  17. Not able to perform step 3 says:

    I am trying to perform step 3 on a Windows 2008 R2 server and it accepts the certificate in both places, however when GPUPDATE runs on the workstation it only downloads the certificate as a "Trusted Publisher" if you look at the GPO the certificate is in both places, however it only downloads to one.   This causes the updates to fail to install on my clients with an error code of 800B0109

  18. David says:

    this is an old thread but I'm going to ask this anyways. our SCUP had a hiccup where it cannot find the cert it needs to publish apps to sccm. I created a new cert in SCUP and put it in the sccm server's store. I was able to publish to SCCM successfully.

    Will this affect Microsoft and 3rd party updates from SCCM to the clients? I'm noticing my MS update lists are still working and everything else looks good.

  19. Anonymous says:

    Published on configuration manager team blog as well:

  20. Anonymous says:

    System Center Updates Publisher 2011 and Windows Server 2012 R2 has some known limitations which are

  21. Amil Coppens says:

    To everyone getting an 800b0004 certificate error on the workstations… these instructions will not work withi this user certificate and SCCM 2012 R2 and 2008 R2 and SCUP 2011. You need to copy and modify the Computer certificate template, not the Code
    Signing template. Then you will need to edit the extensions tab under Application Policies to remove everything about authentication and put in Code Signing. Publish this cert to AD if it is a domain cert, and also if it is a domain cert, you do not need to
    place it into the CA Root Cert Store since you should already have your domain CA root certs distributed to your workstations. You will need to place the cert into the Trusted Publishers in GPO. I struggled with this problem because this author has no clue
    what he is doing. This document looks pretty, but it is USELESS without the noted changes.

  22. Oliver says:

    not sure what Problem Amil had with this guide. Worked for me as described without modifying anything.

  23. Does not work says:

    Still get "no signing cert found" Totally do not understand why this isn’t done via computer certs since the SCCM server is a computer

  24. ML49448 says:


    For Step 4 #4 – After I clicked Browse and found my SCUPCodeSign.pfx I had to click Create in order for the password prompt to come up. Hope that helps.

  25. Jon says:

    Thanks Michael, that helped!

  26. Ned says:

    Thanks Michael, that nailed it!

  27. sebus says:

    If somebody managed to get it working blindly following this wrong instructions then I am impressed. In step 2 one exports SCUPCodeSign.pfx but imports scup.cert.
    is that magic? No, just plain wrong instructions!
    User certificate? I do not think so. It must be Computer certificate (SCUP is a computer!)

Comments are closed.

Skip to main content