Deploying the Verdiem Trusted Publisher Certificate for Windows 2003 and 2008

Overview

When the Trusted Publisher certificate for Surveyor does not exist on the user's machine, issues can occur when upgrading, as well as running scripts from the Surveyor server.

Root Cause

The Surveyor agent has not been deployed correctly. As a result, the codesign certificate used for power state transition scripts is not installed.

Resolution

Windows 2003:

Install the Trusted Publisher certificate using Group Policy Manager:

  1. Open the Group Policy Manager.
  2. Navigate to Computer Configuration > Windows Settings > Software Restriction Policies and create a new SR policy if you do not have one already.
  3. Under Additional Rules, right-click on Certificate Rule to create new certificate rule.
  4. Click on Browse and select the Verdiem Certificate you want to install on your clients.
  5. Change the Security Level to Unrestricted (otherwise, you will stop the computers from running any programs).
  6. Click OK.

The next time a user reboots their computer; it should reach out and install the new certificate.

Install the certificate using certmgr.exe:

Use the certmgr.exe utility and execute the following command:

certmgr -add VerdiemCodeSignCert.cer -c -s -r localMachine TrustedPublisher

 From a network share:

\\share\certmgr.exe -add \\share\VerdiemCodeSignCert.cer -c -s -r localMachine
  TrustedPublisher\\share\certmgr.exe -add \\share\VerdiemCodeSignCert.cer -c -s
    -r localMachine TrustedPublisher

 

Windows 2008:

Install the Trusted Publisher certificate using Group Policy Manager:

  1. Open the Group Policy Management Console.
  2. Find an existing or create a new Group Policy (GPO) to contain the certificate settings. Make sure that the GPO is associated with the domain, site, or organizational unit whose users you want to be affected by the policy.
  3. Right-click the GPO and select Edit. The Group Policy Management Editor opens and displays the current contents of the policy object.
  4. In the navigation pane, navigate to Computer Configuration > Windows Settings >Security Settings > Public Key Policies > Trusted Publishers.
  5. Click the Action menu, and then click Import.
  6. Follow the instructions in the Certificate Import Wizard to find and import the certificate.
  7. If the certificate is self-signed and cannot be traced back to a certificate that is in the Trusted Root Certification Authorities certificate store, you must also copy the certificate to that store. In the navigation pane, click Trusted Root Certification Authorities and then repeat steps 5 and 6 to install a copy of the certificate to that store.

Install the certificate using certmgr.exe:

Use the certmgr.exe utility (which can be downloaded from the Microsoft Windows SDK) and execute the following command:

certmgr -add VerdiemCodeSignCert.cer -c -s -r localMachine TrustedPublisher


From a network share:

\\share\certmgr.exe -add \\share\VerdiemCodeSignCert.cer -c -s -r localMachine TrustedPublisher

Comments

0 comments

Article is closed for comments.