Information Technology Reference
In-Depth Information
Certificate requirements
SCUP requires a signing certificate to sign updates digitally that it publishes. This digital sig-
nature enables clients to verify the integrity of the updates. You can obtain a certificate from
a trusted certificate authority (CA) or have SCUP create a self-signed certificate. Certificates
must be trusted by clients of the update server and by the update server itself. This require-
ment is not a problem if you have obtained the certificate from a CA that client computers
trust but requires special configuration of clients if you use the self-signed certificate.
When you obtain a signing certificate for Updates Publisher 2011 from a CA, ensure that it
has the following properties:
■
Enable The Allow Private Key To Be Exported Option
■
Set Key Usage To Digital Signature
■
Set Minimum Key Size To A Value Equal To Or Greater Than 2048 Bit
If you use a self-signed certificate, export the self-signed certificate from the server that
hosts SCUP by using the certificates snap-in of the Microsoft Management console. You then
import the certificate into the Trusted Root Certification Authorities certificate store. You can
do this manually on each client, or you can use Active Directory to publish the self-signed
certificate to the Trusted Root Certification Authorities certificate store on computers that are
members of the domain.
EXAM TIP
Remember the process for using self-signed certificates with SCUP.
MORE INFO
SCUP CERTIFICATES
You can learn more about SCUP certificates at
http://technet.microsoft.com/en-us/library
Depending on the details of your SCUP deployment, you can choose to publish updates to a
WSUS server or to a WSUS server integrated with Configuration Manager. Update Server
options, shown in Figure 3-1, enable you to configure whether Updates Publisher 2011 pub-
lishes software updates to a WSUS update server and whether the update server is local or
remote and to specify the certificate that Updates Publisher 2011 uses to publish software
updates. All software updates must be digitally signed when they are published. Use this
option when clients update using only WSUS.
