Using a certificate generated from internal CA with Solarwinds Patch Manager

I'm looking for the step by step of importing a publishing certificate issued from my internal CA for use with Solarwinds Patch Manager.

Ideally, certificates created from an Enterprise CA would be auto-enrolled.

The second best option is distribution via Group Policy.

The one exception to this is getting the full certificate into the WSUS store of the WSUS Server, which is noted specifically in the thread you've linked.

But as far as Patch Manager is concerned, it's just another 'client' that needs the cert.

It needs the root certificate authority in Trusted Root Certificate Authorities, and it needs the CER of the publishing certificate in Trusted Publishers.

You can use auto-enrollment, Group Policy, the Server Publishing Setup Wizard, or the Client Certificate Management tool to "import" the certificate from the WSUS server.

The first requirement is getting the cert into the WSUS server's certificate store in the proper store.

A step by step on how to import this for use on the WSUS server would be appreciated.

Are you looking for a step-by-step on how to import a certificate, generically? (e.g. how to do Step #2 in the linked thread?)

Thank you Lawrence,

I think i follow now.

The steps are:

1. Create a self signed cert from server publishing setup wizard upstreamwsusserver.yourdomain.org -- this creates the Local Computer/WSUS store

2. Provision and Import a code signing cert into the Local Computer/WSUS store

3. Remove the self signed cert that was created in step 1 from the Local Computer/WSUS store

4. Publish  the code signing cert into the Local Computer/Trusted Publishers on all downstream wsus servers & sccm servers via patch manager

5. Publish the cert to the trusted publishers store for any endpoints that receive patches

IIS

1. Create or verify the SSL Binding on wsus for create a server auth cert if necessary for yourwsusname.domain.org?

Sound about right?

The steps are: 1. Create a self signed cert from server publishing setup wizard upstreamwsusserver.yourdomain.org -- this creates the Local Computer/WSUS store 2. Provision and Import a code signing cert into the Local Computer/WSUS store 3. Remove the self signed cert that was created in step 1 from the Local Computer/WSUS store 4. Publish the code signing cert into the Local Computer/Trusted Publishers all downstream wsus servers & sccm servers in patch manager 5. Publish the cert to the trusted publishers store for any endpoints that receive patches.

That'll do it.

IIS 1. Create or verify the SSL Binding on wsus for create a server auth cert if necessary for yourwsusname.domain.org?

This is only relevant if you are using **SSL** to secure/authenticate your connections between clients and servers. SSL configuration has absolutely nothing to do with local publishing or the publishing certificate.

Appreciate the help on this.

Thank you!!

Lawrence Garvin wrote: The steps are: 1. Create a self signed cert from server publishing setup wizard upstreamwsusserver.yourdomain.org -- this creates the Local Computer/WSUS store 2. Provision and Import a code signing cert into the Local Computer/WSUS store 3. Remove the self signed cert that was created in step 1 from the Local Computer/WSUS store 4. Publish the code signing cert into the Local Computer/Trusted Publishers all downstream wsus servers & sccm servers in patch manager 5. Publish the cert to the trusted publishers store for any endpoints that receive patches. That'll do it. IIS 1. Create or verify the SSL Binding on wsus for create a server auth cert if necessary for yourwsusname.domain.org? This is only relevant if you are using **SSL** to secure/authenticate your connections between clients and servers. SSL configuration has absolutely nothing to do with local publishing or the publishing certificate.

Regarding the IIS bullet above...

If you're using the certificate issued from your internal CA this must be done, otherwise the certificate can't be used.

Patch manager will reject it every time. Interestingly enough this also holds true for SCUP.

SSL has absolutely nothing to do with Local Publishing.

You can do Local Publishing With SSL, which requires *two* certificates: a CodeSigning Certificate for publishing and a WebSite Certificate for SSL

Or you can do Local Publishing without SSL, which requires only the CodeSigning Certificate, and that cert never gets anywhere near IIS.

Not entirely sure what you're doing, but I've been involved with thousands of Patch Manager local publishing installations, and done a few dozen of my own, and I've *never* had to do anything with SSL.

Now.. if you chose to enable SSL on your WSUS site (not required, but certainly an option), then of course you need an SSL certificate for that -- but it has *nothing* to do with publishing.

Thank you for the call today Lawrence.

This ended up being scenario specific.

In our scenario we are using a remote WSUS server that wasn't using SSL.

Patch Manager is on a dedicated server.

The SSL binding on the the WSUS administration site was required to engage the API to provision the cert in the Patch Manager Administration and Reporting config.

Otherwise when launching the Provision the WSUS Server for Publishing wizard action you can only ever select and use Create self-signed certificate.

Does someone could detail the step4?

"4. Publish  the code signing cert into the Local Computer/Trusted Publishers on all downstream wsus servers & sccm servers via patch manager"

Does someone have a detailled procedure / prerequisites for the certificate Template "Code Signing"?

I'm unable to import my existing signing certificate in the Patch Manager... 

benjamin.reuze@accor.com​  :
first question i would have for you is:   Did steps 1 to 3 work for you?  meaning:  if you go into the WSUS server and run MMC from the start menu, add the Certificates snap-in and browse to the \WSUS certificate store you see the cert you imported?

If so, cool.  if not, you'll need to make that happen before moving on to step 4.  


Step 4 could be broken down into sub-steps:
1. In Patch Manager, browse to Update Services and select your WSUS server.

2. Right-click that WSUS server name and choose "Refresh Update Server"  <-- This is just to clear the cache and make it re-read the cert data from the \WSUS store on the WSUS server.

3. Go to Administration and Reporting and right-click Software Publishing to select the option for Server Publishing Setup Wizard.   <-- This tool should  A)read the cert info from the WSUS server and B) Give you the option to deploy it to the other needed certificate stores (Trusted Publishers and Trusted Root Certification Authorities) on both the WSUS server(s) and the Patch Manager server.

Alternatively, you could use the MMC console to open the Certificate store on the WSUS server and use that tool to select the private key version of the certificate (in the \WSUS store) ... export that cert to a public key version (.cer) and then manually import that into the Trusted Publishers and Trusted Root Certification Authorities stores on the WSUS server.   You'd have to repeat that for any downstream WSUS servers AND for the Patch Manager server (unless it already has that cert in those places).

.

Yes, step1, 2 and 3 are OK.

For the Step4, It's wath I have done, but in step 4.3 (in Administration and Reporting and right-click Software Publishing to select the option for Server Publishing Setup Wizard), when I try to import "an existing certificat" with my PFX file, I received an error telling me that the "selected certificate is not a certificate used for signing".

After multiple research and test. I have find the solution below:

SSL Configuration
WSUS Administration web site SSL configuration
1- Bind a SSL certificat on the WSUS Administration web site of the local WSUS server
  a. Enroll a new certificate with the option "Server authentication, Client Authentication"
  b. Configure the IIS to use this certificate for the port 8531 : https://technet.microsoft.com/en-us/library/bb633246.aspx
2- Repeat the same actions (1-a and 1-b on all the SCCM WSUS server)

WSUS Publishing SSL configuration
Generating the Code Signing Certificate
1- Open a session with the service-account on the PatchManager server
2- Win+R > certmgr.msc
3- Expand “Personal”, right click on “Certificates” and select “All Tasks” -> “Request New Certificate”
4- Select “Active Directory Enrollment Policy”
  5- Tick “##CodeSigning##” (corresponding to the name of the certificate Template define by your security team on the CA) and then click on the “Details” button to the right hand side of the “Code Signing” option
6- Click on “Properties”
7-  Click on the “Private Key” tab, and then expand the “Key Options” section
8-  Tick “Make private key exportable” and “Strong private key protection”
9-  Click OK and then click the “Enroll” button (a message may appear stating that an application is creating a protected item – click OK to acknowledge this message)

Exporting the Certificate for Publishing
1- Open MMC under the service-account  on the PatchManager server
2- Add the “Certificates” snap-in to the MMC console (select “My user account” when prompted)
3- Expand “Personal”, right click on the appropriate code signing certificate and select “All Tasks” -> “Export…”
4- Choose the option “Yes, export the private key” when prompted
5- Accept the default options on the “Export File Format” screen
6- Enter a password for the private key, which will need to be entered when importing the certificate
7-  Save the certificate to an appropriate location
8- Log off

Importing the Certificate for Trusting
1- Open MMC under the installation/administrator account context
2- Add the “Certificates” snap-in to the MMC console (select “Computer account” and select the local machine when prompted)
3- Right click “Trusted Publishers” and select “All Tasks” -> “Import…”
4-  Follow the wizard to import the exported certificate, and enter in the accompanying password that was used when the certificate was exported
5- Redo the same actions on "Trusted Root Certification Authorities"
6- Replay these 5 steps on each SCCM WSUS Servers

Publishing the certificat in WSUS
1- On the PatchManager server, open CMD under the installation/administrator account context
2- Go to the installation folder of PatchManager ...\SolarWinds\Patch Manager\Patch Manager\Server
3- Adapt and Run the following command:
"SolarWinds.Utilities.WSUS2012PlusCertManagement.exe" /operation addpfx /pfxfile c:\Temp\CodeSigning.pfx /pfxfilepassword YOURPASSWORD /targetwsusname . /targetwsusport 8531 /targetwsususessl yes