7 Replies Latest reply on Aug 22, 2014 3:20 PM by david.speer

    Using a certificate generated from internal CA with Solarwinds Patch Manager

    david.speer

      I'm looking for the step by step of importing a publishing certificate issued from my internal CA for use with Solarwinds Patch Manager.

      I've used the code signing template mentioned in the documents i've been able to find.

      key length 2048, issued name mywsusservername.mydomain.org.

       

      Referencing this article.

      Re: How to use trusted certificate with WSUS rather than self-generated certificate?

       

      A step by step on how to import this for use on the WSUS server would be appreciated.

       

      Best Regards,

      David

        • Re: Using a certificate generated from internal CA with Solarwinds Patch Manager
          Lawrence Garvin

          I'm looking for the step by step of importing a publishing certificate issued from my internal CA for use with Solarwinds Patch Manager.

          Ideally, certificates created from an Enterprise CA would be auto-enrolled.

          The second best option is distribution via Group Policy.

           

          The one exception to this is getting the full certificate into the WSUS store of the WSUS Server, which is noted specifically in the thread you've linked.

           

          But as far as Patch Manager is concerned, it's just another 'client' that needs the cert.

          It needs the root certificate authority in Trusted Root Certificate Authorities, and it needs the CER of the publishing certificate in Trusted Publishers.

          You can use auto-enrollment, Group Policy, the Server Publishing Setup Wizard, or the Client Certificate Management tool to "import" the certificate from the WSUS server.

          The first requirement is getting the cert into the WSUS server's certificate store in the proper store.

           

          A step by step on how to import this for use on the WSUS server would be appreciated.

          Are you looking for a step-by-step on how to import a certificate, generically? (e.g. how to do Step #2 in the linked thread?)

          1 of 1 people found this helpful
            • Re: Using a certificate generated from internal CA with Solarwinds Patch Manager
              david.speer

              Thank you Lawrence,

              I think i follow now.

               

              The steps are:

              1. Create a self signed cert from server publishing setup wizard upstreamwsusserver.yourdomain.org -- this creates the Local Computer/WSUS store

              2. Provision and Import a code signing cert into the Local Computer/WSUS store

              3. Remove the self signed cert that was created in step 1 from the Local Computer/WSUS store

              4. Publish  the code signing cert into the Local Computer/Trusted Publishers on all downstream wsus servers & sccm servers via patch manager

              5. Publish the cert to the trusted publishers store for any endpoints that receive patches

               

              IIS

              1. Create or verify the SSL Binding on wsus for create a server auth cert if necessary for yourwsusname.domain.org?

               

              Sound about right?

                • Re: Using a certificate generated from internal CA with Solarwinds Patch Manager
                  Lawrence Garvin

                  The steps are:

                  1. Create a self signed cert from server publishing setup wizard upstreamwsusserver.yourdomain.org -- this creates the Local Computer/WSUS store

                  2. Provision and Import a code signing cert into the Local Computer/WSUS store

                  3. Remove the self signed cert that was created in step 1 from the Local Computer/WSUS store

                  4. Publish the code signing cert into the Local Computer/Trusted Publishers all downstream wsus servers & sccm servers in patch manager

                  5. Publish the cert to the trusted publishers store for any endpoints that receive patches.

                   

                  That'll do it.

                   

                  IIS

                  1. Create or verify the SSL Binding on wsus for create a server auth cert if necessary for yourwsusname.domain.org?

                   

                  This is only relevant if you are using **SSL** to secure/authenticate your connections between clients and servers. SSL configuration has absolutely nothing to do with local publishing or the publishing certificate.

                    • Re: Using a certificate generated from internal CA with Solarwinds Patch Manager
                      david.speer

                      Lawrence Garvin wrote:

                       

                      The steps are:

                      1. Create a self signed cert from server publishing setup wizard upstreamwsusserver.yourdomain.org -- this creates the Local Computer/WSUS store

                      2. Provision and Import a code signing cert into the Local Computer/WSUS store

                      3. Remove the self signed cert that was created in step 1 from the Local Computer/WSUS store

                      4. Publish the code signing cert into the Local Computer/Trusted Publishers all downstream wsus servers & sccm servers in patch manager

                      5. Publish the cert to the trusted publishers store for any endpoints that receive patches.

                       

                      That'll do it.

                       

                      IIS

                      1. Create or verify the SSL Binding on wsus for create a server auth cert if necessary for yourwsusname.domain.org?

                       

                      This is only relevant if you are using **SSL** to secure/authenticate your connections between clients and servers. SSL configuration has absolutely nothing to do with local publishing or the publishing certificate.

                       

                      Regarding the IIS bullet above...

                      If you're using the certificate issued from your internal CA this must be done, otherwise the certificate can't be used.

                      Patch manager will reject it every time. Interestingly enough this also holds true for SCUP.

                        • Re: Using a certificate generated from internal CA with Solarwinds Patch Manager
                          Lawrence Garvin

                          SSL has absolutely nothing to do with Local Publishing.

                          You can do Local Publishing With SSL, which requires *two* certificates: a CodeSigning Certificate for publishing and a WebSite Certificate for SSL

                          Or you can do Local Publishing without SSL, which requires only the CodeSigning Certificate, and that cert never gets anywhere near IIS.

                           

                          Not entirely sure what you're doing, but I've been involved with thousands of Patch Manager local publishing installations, and done a few dozen of my own, and I've *never* had to do anything with SSL.

                           

                          Now.. if you chose to enable SSL on your WSUS site (not required, but certainly an option), then of course you need an SSL certificate for that -- but it has *nothing* to do with publishing.

                            • Re: Using a certificate generated from internal CA with Solarwinds Patch Manager
                              david.speer

                              Thank you for the call today Lawrence.

                               

                              This ended up being scenario specific.

                               

                              In our scenario we are using a remote WSUS server that wasn't using SSL.

                              Patch Manager is on a dedicated server.

                               

                              The SSL binding on the the WSUS administration site was required to engage the API to provision the cert in the Patch Manager Administration and Reporting config.

                              Otherwise when launching the Provision the WSUS Server for Publishing wizard action you can only ever select and use Create self-signed certificate.