Hi. Is it possible to publish a certificate in AD to the "Trusted Publishers" store using the "certutil.exe -dspublish" command? Can publish the Root and Intermediate certificates using "certutil.exe -dspublish CertFileRoot.cer RootCA" and "certutil.exe -dspublish CertFileIntermediate.cer SubCA" fine. This can be done locally using this command: certutil.exe -addstore -enterprise TrustedPublisher CertFileTrustedPublisher.cer Running Windows 2003. Cheers

no, Active Directory do not contains such container. You can add certificates to TrustedPublishers only locally by using '-addstore' parameter (instead of '-dspublish').My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Ok thanks! Do You have any more information as to why this is so? Why TrustedPublishers is not a part of the DS? (In the progress of implementing signed third party patches with SCUP, to your info)

There is no Trusted Publishers container in AD. Windows 7/Server 2008R2 introduced a GPO option for designating Trusted Publishers, this is the preferred way to deploy trusted publishers in an AD environment. For non-domain joined machines, the certutil -addstore option is the preferred method. Brian

or, if you are using Software Restriction Policies, you can deploy certificates to Trusted Publishers container by creating certificate rules.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Vadims, Funny part I discovered is that if you create a certificate rule under Software Restriction Policies, it also adds the certificate under Trusted Publishers <G>. What I found is that Software Restriction Policies is the only way to do it under 2008, but under 2008 R2, you can use either method (both cross populate) Brian

> Vadims, Funny part I discovered is that if you create a certificate rule under Software Restriction Policies, it also adds the certificate under Trusted Publishers yes, and I used this trick to distribute code signing certificates to allow run signed PowerShell scripts for systems starting with Windows XP (which requires a copy of signing certificate to be installed in Trusted Publishers container). My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

> Vadims, Funny part I discovered is that if you create a certificate rule under Software Restriction Policies, it also adds the certificate under Trusted Publishers yes, and I used this trick to distribute code signing certificates to allow run signed PowerShell scripts for systems starting with Windows XP (which requires a copy of signing certificate to be installed in Trusted Publishers container). My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks. Worked nicely.