• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2485
  • Last Modified:

How to deploy Code Signing Certificates via GPO

Our developers have a certificate, which is a code signing cert which identifies our company as the publisher of the software we have developed internally.

When this cert is installed in the Trusted Publishers collection of the machine any software signed by this cert is automatically trusted and so no pop-ups appear asking the user if they want to trust our company each time a new version is rolled out.

What I need to do is deploy this code signing cert to all PC's on the domain, into the Trusted Publishers store.

What is the best way of going about this?
0
Rhodan
Asked:
Rhodan
  • 10
  • 5
1 Solution
 
RhodanAuthor Commented:
I have found this Technet link: http://technet.microsoft.com/en-us/library/cc770315.aspx

However when I browse to the GPO and drill down the tree as it describers, ie. Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers, I don't see Trusted Publishers?

Can anyone explain, or should I not be using this method? I just found this http://technet.microsoft.com/en-us/library/cc731253.aspx, however that talks about placing it in Trusted Root Certification Authorities.

What's the difference?
0
 
jjmartineziiiCommented:
Rhodan,

The link you have is correct. You must right click "Trusted Publishers" in the list and select Import. The problem can be the version of Administration Tools you are running. Try upgrading to the newest one.

http://www.microsoft.com/downloads/details.aspx?familyid=86B71A4F-4122-44AF-BE79-3F101E533D95&displaylang=en

I also recommend the GPMC if you dont already have it.

http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
0
 
RhodanAuthor Commented:
Thanks for the reply.

I have the latest Admin Tools installed. I have upgraded now to the latest GPMC. However, I still do not see "Trusted Publishers under "Computer Configuration\Windows Settings\Security Settings\Public Key Policies\" in the GPO.

Any further idea's?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
RhodanAuthor Commented:
Also,

Why would this link point to Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers:
http://www.microsoft.com/downloads/details.aspx?familyid=86B71A4F-4122-44AF-BE79-3F101E533D95&displaylang=en

Why would this link point to Trusted Root Certification Authorities:
http://technet.microsoft.com/en-us/library/cc731253.aspx
0
 
jjmartineziiiCommented:
http://www.bibble-it.com/2008/09/03/adding-trusted-publishers-certificate-with-group-policy


There is a new link. That should work for you. I dunno why you are not seeing it. I am using Vista which may be the reason.


The reason the second link points to CA is because in the second link you are setting the computer to trust a CA.
0
 
RhodanAuthor Commented:
Ah right. I was expecting it to show up in the tree where Trusted Root Certification Authorities is.

I guess you only see it when you add a new software restriction policy?

Let me try this unless anyone else has any idea's?
0
 
jjmartineziiiCommented:
it could also be the domain functional level? Mine is 2003.

Besides that I have no idea. After looking at my XP machine, I do not see it their either. It only shows up in that tree on my Vista Business machine.
0
 
RhodanAuthor Commented:
I've tried it in GPMC on my XP machine and on a 2003 server, still can't see it. The domain is 2003.

As for the certificates, we have a .pfx and .spc, any idea which is the right one to use?
0
 
jjmartineziiiCommented:
That, I haven't the slightest clue but I've only worked with .cer and .crt files when dealing with certificates + windows.
0
 
RhodanAuthor Commented:
Does anyone know which files are the ones to use for deploying? .pfx and .spc

0
 
RhodanAuthor Commented:
There must be someone else who has deployed code signed certificates via GPO to trusted publishers?

Can anyone else comment?
0
 
RhodanAuthor Commented:
OK I think I know why I can't see the Trusted Publishers option, this article is under the Windows Server 2008 section on Technet: http://technet.microsoft.com/en-us/library/cc770315.aspx

Does anyone know what the procedure is for 2003?
0
 
jjmartineziiiCommented:
I think prior to windows 2008, that option wasn't available. It was done throught software restrictions.

Now, using Windows Vista, you can see them because Vista has the 2008 ADM files.

Maybe you can download those ADM files and run them in XP. The GP includes Policies and Preferences.
0
 
RhodanAuthor Commented:
I found this link which talks about the Software Restriction Policies and Trusted Publishers. However, this does not sound like the right thing that I need to do: http://www.windowsecurity.com/articles/windows_2003_restriction_policies_security.html

So it seems the only method I have available is this one I originally posted: http://technet.microsoft.com/en-us/library/cc731253.aspx

How confusing!
0
 
RhodanAuthor Commented:
We solved it by using a GPO in the following location: Windows Settings -> Security Settings -> Software Restriction Policies/Additional Rules

We converted .spc to .cer and loaded via GP wizard (Add Additional Rule).
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 10
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now