1 Reply Latest reply on May 24, 2013 11:14 AM by Lawrence Garvin

    How does the client certificate management work?

    mike.palmer@sophos.com

      Hi,

       

      I'm trying to understand how the client certificate management distribution from WSUS works. As I have the challenge to get a internally signed trusted publisher certificate issued to clients which are on several separate AD domains and I'm wondering if the WSUS client distribution maybe able to help me instead of me having to update GPO templates/ domain controller version to enable me to add the trusted publisher certs to PKI sections of GPOs.

       

      Mike

        • Re: How does the client certificate management work?
          Lawrence Garvin

          Greetings Mike.

          The Client Certificate Management tool available in Patch Manager leverages WMI and some methods in our WMI Provider to load the certificate into the appropriate certificate stores on the client system. One of the advantages to this methodology is its ease of use in a multi-domain scenario, because it only requires local Administrator privileges to access WMI. At the same time, one of the disadvantages is that it does require remote WMI access, which is blocked (by default) in the Windows Firewall on Vista and newer operating systems. Ironically, the very thing that can easily mitigate the Windows Firewall issue, a GPO enabling that ruleset in each domain, can also be used to distribute the certificate.

           

          However, if you already have WMI enabled and working (the ruleset is already enabled, or the Windows Firewall is disabled), then the Client Certificate Management tool can be very beneficial in quickly distributing the certificates to the client systems without having to hassle with Group Policy creation. It distributes them on-demand or as a scheduled task, to one or more individual systems, or by Domain, OrgUnit, or WSUS Target Group -- leveraging all of the standard computer selection and task management options available in Patch Manager. (I often find that targeting this task to the "All Computers" group is quick way to make sure every machine is on the distribution list.)