7 Replies Latest reply on May 5, 2014 4:36 PM by Lawrence Garvin

    How to use trusted certificate with WSUS rather than self-generated certificate?

    bbrehart

      So I have upgraded WSUS to Server 2012/WSUS v. 6.x so that I can have our Patch Manager server in one Domain talk to the patch manager console on the WSUS server and allow for the installation of 3rd Party Patches. What I'm running into now is that those machines that don't support WMI (or aren't configured for it) won't permit the software to download and install because they don't have the self-signed certificate in their trusted certs folder. I want to create a certificate for the WSUS server from a trusted authority, but I don't have the first idea how to do this. Where do I start? Where do I make the certificate request from and then where do I install it once I get it?

        • Re: How to use trusted certificate with WSUS rather than self-generated certificate?
          Lawrence Garvin

          So.. my first question would be... why a 3rd party certificate rather than a self-signed certificate?

           

          As for obtaining the 3rd party certificate.... that's kinda beyond our scope here, but I can certainly help you import that certificate once you obtain it.

          But I will say this: PAYING for a 3rd party certificate is not worth the expense, IMHO, for the purpose of publishing third-party updates to a WSUS server.

          I strongly recommend just making the self-signed certificate and be done with it.

            • Re: How to use trusted certificate with WSUS rather than self-generated certificate?
              bbrehart

              The reason for the 3rd party is due to the fact that we're patching over two domains and one won't trust the self-signed. Also, we have our own certificate server, so we don't pay for any non-self-signed certs. I have created the certificate, so how do I import it into Patch Manager?

               

              Sorry for the confusion.

                • Re: How to use trusted certificate with WSUS rather than self-generated certificate?
                  Lawrence Garvin

                   

                  Also, we have our own certificate server, so we don't pay for any non-self-signed certs.

                  If you have a certificate server, then you're not using a THIRD-PARTY certificate, you're using an Enterprise Certificate and it's a completely different conversation.

                   

                  I have created the certificate, so how do I import it into Patch Manager?

                   

                  First, the Code-Signing certificate is stored on the WSUS Server, not Patch Manager.

                  Once the certificate is stored in the WSUS server, Patch Manager will simply retrieve it from the WSUS server as part of a routine WSUS server refresh.

                  So, there's nothing to import to Patch Manager.


                  You will, however, need to distribute that certificate, and that's done in exactly the same way for all systems.

                  The CER needs to go into Trusted Publishers. The Root CA needs to be in Trusted Root Certificate Authorities.


                  The challenge, though, is getting the certificate imported into WSUS, and that process is a bit more complicated now that you're using WSUS v6.

                   

                  In short, the *easiest* process is this:
                  1. Use the WSUS API to create a self-signed certificate. (The easiest way to do this is to let Patch Manager create it.)  The significant thing that happens in this process is that a certificate stored named WSUS gets created on the WSUS server.
                  2. Import the Enterprise code-signing certificate into the WSUS store, and delete the self-signed certificate.
                  3. Distribute the Enterprise code-signing certificate.


                  1 of 1 people found this helpful