Pushing Packages with WSUS Package Publisher

There's a good chance this content may be outdated!

This post is 3 years old—a long time on the internet. Any content within is provided as-is and is not guaranteed to work on modern systems - your mileage may vary.

Wsus Package PublisherI have a fairly popular post on here regarding pushing out Java via WSUS. In the previous post, I used LUP or Local Update Publisher. Now, LUP was a good tool however it appears to be no longer updated and it’s a little clunky so it takes some time to properly use and setup. Now, I’ve since moved over to PDQ Deploy from Admin Arsenal. It’s a fantastic product and I’d highly recommend using it (including the free mode) in addition to WPP. So let’s get down to business.

Generate your Code Signing Certificate

Since we’re going to need to sign code, we need to generate ourselves a code signing certificate and push this certificate out to our users so they’ll be able to install our custom packages. You do need to have an enterprise CA in your Active Directory domain!

  1. Open the Certification Authority console and connect to a CA in your AD domain (I always recommend using RSAT over logging into the actual machine whenever and wherever possible).
  2. Navigate to Certificate Templates and see if you have a code signing certificate. In this case, I do not have one so we need to generate one.
    2014-03-27 3-37-21 PM
  3. If you don’t have a Code Signing template, let’s create it. Alternate click on Certificate Templates, then select New and Certificate Template to Issue.
    2014-03-27 3-41-47 PM
  4. Select Code Signing and then click OK.
    2014-03-27 3-43-54 PM
  5. Now we need to request a Code Signing certificate from our CA. So open up MMC and add the Certificates Snap-In. Your account should have administrative rights or you’re going to need to do this from a Domain Administrator account. Expand Personal, and then alternate click on Certificates. Select All Tasks, Request New Certificate.
    2014-03-27 3-47-17 PM
  6. Select Active Directory Enrollment and then select the Code Signing certificate template. Click on Details and then the Properties button.
    2014-03-27 3-55-46 PM
  7. Click on the Private Key tab and tick the options to make the private key exportable (THIS IS IMPORTANT!) and enable strong private key protection.
    2014-03-27 3-55-33 PM
  8. Click on the Enroll button. If you get a message like the following, just click on OK.
    2014-03-27 3-58-32 PM
  9. If everything worked correctly, you should get a success message.
    2014-03-27 4-02-36 PM
  10. Now we need to export our certificate so we can use it and sign some code! In the MMC, go to your personal certificates and find the code signing certificate you just generated. Select it, alternate click, select All Tasks, and Export…
    2014-03-27 4-04-49 PM
  11. Walk through the export wizard. Be sure to export the private key! Also, remember to set a password you can remember. If you can’t you’ll have to re-export your certificate and private key.
    2014-03-27 4-06-37 PM
  12. Now we have to import the key into the WSUS Package Publisher console so it can sign the packages. Now this is where it gets tricky. WPP wants you to enter the PFX password before it will let you browse for the PFX which is why I got frustrated.
    2014-03-28 11-40-22 PM
  13. Now we need to distribute the key. For testing, you can import it locally on your machine (or if your network is small enough) otherwise for distribution, do it through Group Policy. Be sure to re-export the certificate without the private key (just as a CERT or CER file).
    1. Open a GPO or create a new GPO.
    2. Expand Computer Management, Policies, Windows Settings, Security Settings, Public Key Policies.
    3. Alternate click on Trusted Publishers and select Import…
    4. Use the wizard to import the PFX (certificate with private key) and enter the password for the PFX.
  14. Now you’re set! You can start publishing custom packages! Documentation is on the WPP site.

6 thoughts on “Pushing Packages with WSUS Package Publisher

  1. I have to disagree with step 12. You should never,never, NEVER share a certificate that contains the private key. If someone break the crypto, he will gain access to the private key and thus, he will able to sign packages.
    The pfx file is only required at step 13. It needs to be imported into Wsus so that it can sign packages. In step 12 you have to distribute the Root Certification Authority certificate (.cert file without private key). So that, clients computers will trust packages. But in AD environment, this is generally already done 🙂

    • travis says:

      Thanks! I updated the steps! I was attempting to clarify a guide I found on how to implement it and went into auto-drive and may have followed some steps way too closely! 😉 I appreciate it.

  2. Won says:

    Agreed with DCourtel, however you will need to export your public code signing certificate and publish that into the trusted publishers store across your environment.

  3. Note that, it’s not mandatory to have an Enterprise CA. You can ask WPP to generate a self-signed certificate. However, it’s a little bit less secure.

Leave a Reply

Your email address will not be published. Required fields are marked *