From time to time, we get inquires about whether the WSUS server certificate has to be self-signed in order for 3rd party updates to work. A number of organizations already have a CA, and would like to utilize it. The EminentWare product can only be used to generate self-signed WSUS certificates, but here are some steps on how to link up with your internal CA.
The WSUS server is the entity that is required to generate a keypair, a Certificate Signing Request Message (CSR), and get a signed cert back from the CA. To get a CA-signed certificate, you will have to generate the keypair and CSR for the WSUS server using your CA’s enrollment process (note that this must be a code-signing certificate). If you go this route, you will need to ensure that the CA-signed certificate is properly installed on the WSUS server – here are some details: http://msdn.microsoft.com/en-us/library/bb902479(VS.85).aspx.
Alternatively, you can generate a keypair and CSR, get a signed certificate from the CA in return, and then export the keypair (including the private key) to a PKCS#12 file. You can then manually import the keypair and certificate, or use one of our free utilities to install it on the WSUS server: http://downloads.solarwinds.com/solarwinds/Release/SupportTools/WSUSSigningCertManagement.zip
Once the certificate is installed on the WSUS server, the EminentWare product can help you deploy the certificate (sans private key, obviously) to the downstream WSUS servers, the EminentWare servers, and the clients that will be receiving 3rd Party Updates (that are signed by the WSUS server).