How to deploy Code Signing Certificates via GPO

Our developers have a certificate, which is a code signing cert which identifies our company as the publisher of the software we have developed internally.

When this cert is installed in the Trusted Publishers collection of the machine any software signed by this cert is automatically trusted and so no pop-ups appear asking the user if they want to trust our company each time a new version is rolled out.

What I need to do is deploy this code signing cert to all PC's on the domain, into the Trusted Publishers store.

What is the best way of going about this?
RhodanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RhodanAuthor Commented:
I have found this Technet link: http://technet.microsoft.com/en-us/library/cc770315.aspx

However when I browse to the GPO and drill down the tree as it describers, ie. Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers, I don't see Trusted Publishers?

Can anyone explain, or should I not be using this method? I just found this http://technet.microsoft.com/en-us/library/cc731253.aspx, however that talks about placing it in Trusted Root Certification Authorities.

What's the difference?
0
jjmartineziiiCommented:
Rhodan,

The link you have is correct. You must right click "Trusted Publishers" in the list and select Import. The problem can be the version of Administration Tools you are running. Try upgrading to the newest one.

http://www.microsoft.com/downloads/details.aspx?familyid=86B71A4F-4122-44AF-BE79-3F101E533D95&displaylang=en

I also recommend the GPMC if you dont already have it.

http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
0
RhodanAuthor Commented:
Thanks for the reply.

I have the latest Admin Tools installed. I have upgraded now to the latest GPMC. However, I still do not see "Trusted Publishers under "Computer Configuration\Windows Settings\Security Settings\Public Key Policies\" in the GPO.

Any further idea's?
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

RhodanAuthor Commented:
Also,

Why would this link point to Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers:
http://www.microsoft.com/downloads/details.aspx?familyid=86B71A4F-4122-44AF-BE79-3F101E533D95&displaylang=en

Why would this link point to Trusted Root Certification Authorities:
http://technet.microsoft.com/en-us/library/cc731253.aspx
0
jjmartineziiiCommented:
http://www.bibble-it.com/2008/09/03/adding-trusted-publishers-certificate-with-group-policy


There is a new link. That should work for you. I dunno why you are not seeing it. I am using Vista which may be the reason.


The reason the second link points to CA is because in the second link you are setting the computer to trust a CA.
0
RhodanAuthor Commented:
Ah right. I was expecting it to show up in the tree where Trusted Root Certification Authorities is.

I guess you only see it when you add a new software restriction policy?

Let me try this unless anyone else has any idea's?
0
jjmartineziiiCommented:
it could also be the domain functional level? Mine is 2003.

Besides that I have no idea. After looking at my XP machine, I do not see it their either. It only shows up in that tree on my Vista Business machine.
0
RhodanAuthor Commented:
I've tried it in GPMC on my XP machine and on a 2003 server, still can't see it. The domain is 2003.

As for the certificates, we have a .pfx and .spc, any idea which is the right one to use?
0
jjmartineziiiCommented:
That, I haven't the slightest clue but I've only worked with .cer and .crt files when dealing with certificates + windows.
0
RhodanAuthor Commented:
Does anyone know which files are the ones to use for deploying? .pfx and .spc

0
RhodanAuthor Commented:
There must be someone else who has deployed code signed certificates via GPO to trusted publishers?

Can anyone else comment?
0
RhodanAuthor Commented:
OK I think I know why I can't see the Trusted Publishers option, this article is under the Windows Server 2008 section on Technet: http://technet.microsoft.com/en-us/library/cc770315.aspx

Does anyone know what the procedure is for 2003?
0
jjmartineziiiCommented:
I think prior to windows 2008, that option wasn't available. It was done throught software restrictions.

Now, using Windows Vista, you can see them because Vista has the 2008 ADM files.

Maybe you can download those ADM files and run them in XP. The GP includes Policies and Preferences.
0
RhodanAuthor Commented:
I found this link which talks about the Software Restriction Policies and Trusted Publishers. However, this does not sound like the right thing that I need to do: http://www.windowsecurity.com/articles/windows_2003_restriction_policies_security.html

So it seems the only method I have available is this one I originally posted: http://technet.microsoft.com/en-us/library/cc731253.aspx

How confusing!
0
RhodanAuthor Commented:
We solved it by using a GPO in the following location: Windows Settings -> Security Settings -> Software Restriction Policies/Additional Rules

We converted .spc to .cer and loaded via GP wizard (Add Additional Rule).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.