PatchManager: Unable to import an existing signing certificate on WSUS

Question

Hi everyone,

I'm new in the Solarwinds community, and I already need assistance...

I have to securise my Patch Manager server, and because of PCIDSS requirements I can't use Self-Signed certificate.

No problem for the WSUS Administration part, using IIS and a certificat "Server Authentication, Client Authentication" delivered by my CA (enterprise CA).

Now my local WSUS can reply on the port 8531 correctly.

But, now I want to modify the default self-signed "Server Publishing" certificate to use a certificate generate by my own CA.

In the Patch Manager console, in "Administration and Reporting" and "Software Publishing", I click on "Server Publishing Setup Wizard" in the right menu.

Then I select my local WSUS server in the menu, and it propose me the 4 options available.

Selecting the "Use an existing Signing certificate (enabled only if WSUS server is using SSL)" I add my PFX certificate file and the password but after validating I have the following message:

"The selection certificate is not a certificate used for signing. Please select another certificate"

My certificate is a "Code Signing" SHA256 certificate issued to my server computer account.

even using the following tuto, it's not working:

https://blogs.technet.microsoft.com/jasonlewis/2011/07/12/system-center-updates-publisher-signing-certificate-requirements-step-by-step-guide/

https://mikeshellenberger.wordpress.com/2010/09/02/system-center-updates-publisher-microsoft-pki/

Where can I find a detail of the certificate Template needed by PatchManager to integrate it correctly?

Thanks !!

benjamin.reuze · Answer

After multiple research and test. I have find the solution below:

SSL Configuration
WSUS Administration web site SSL configuration
 1- Bind a SSL certificat on the WSUS Administration web site of the local WSUS server
  a. Enroll a new certificate with the option "Server authentication, Client Authentication"
  b. Configure the IIS to use this certificate for the port 8531 : https://technet.microsoft.com/en-us/library/bb633246.aspx
 2- Repeat the same actions (1-a and 1-b on all the SCCM WSUS server)

WSUS Publishing SSL configuration
Generating the Code Signing Certificate
 1- Open a session with the service-account on the PatchManager server
 2- Win+R > certmgr.msc
 3- Expand “Personal”, right click on “Certificates” and select “All Tasks” -> “Request New Certificate” 
 4- Select “Active Directory Enrollment Policy”
  5- Tick “##CodeSigning##” (corresponding to the name of the certificate Template define by your security team on the CA) and then click on the “Details” button to the right hand side of the “Code Signing” option
 6- Click on “Properties”
 7-  Click on the “Private Key” tab, and then expand the “Key Options” section
 8-  Tick “Make private key exportable” and “Strong private key protection”
 9-  Click OK and then click the “Enroll” button (a message may appear stating that an application is creating a protected item – click OK to acknowledge this message)
Exporting the Certificate for Publishing
 1- Open MMC under the service-account  on the PatchManager server
 2- Add the “Certificates” snap-in to the MMC console (select “My user account” when prompted)
 3- Expand “Personal”, right click on the appropriate code signing certificate and select “All Tasks” -> “Export…”
 4- Choose the option “Yes, export the private key” when prompted
 5- Accept the default options on the “Export File Format” screen
 6- Enter a password for the private key, which will need to be entered when importing the certificate
 7-  Save the certificate to an appropriate location
 8- Log off
Importing the Certificate for Trusting
 1- Open MMC under the installation/administrator account context
 2- Add the “Certificates” snap-in to the MMC console (select “Computer account” and select the local machine when prompted)
 3- Right click “Trusted Publishers” and select “All Tasks” -> “Import…”
 4-  Follow the wizard to import the exported certificate, and enter in the accompanying password that was used when the certificate was exported
 5- Redo the same actions on "Trusted Root Certification Authorities"
 6- Replay these 5 steps on each SCCM WSUS Servers
Publishing the certificat in WSUS
 1- On the PatchManager server, open CMD under the installation/administrator account context
 2- Go to the installation folder of PatchManager ...\SolarWinds\Patch Manager\Patch Manager\Server
 3- Adapt and Run the following command:
"SolarWinds.Utilities.WSUS2012PlusCertManagement.exe" /operation addpfx /pfxfile c:\Temp\CodeSigning.pfx /pfxfilepassword YOURPASSWORD /targetwsusname . /targetwsusport 8531 /targetwsususessl yes