Certificate Configuration

When working with a Configuration Manager or WSUS implementation, proper certificate configuration is crucial. Microsoft requires all updates to be signed.

Applies to: On-premises Publisher

Certificates

When working with a Configuration Manager or WSUS implementation, proper certificate configuration is crucial. One way Microsoft helps ensure an update is considered secure and from a trusted source is through the utilization of a code signing certificate. This requirement means all custom updates must be code signed before injection into WSUS. We provide three different ways to configure the certificate.

In most organizations, allowing Configuration Manager to manage the certificate is acceptable and the easiest option. There may be external requirements that prevent the usage of self-signed certificates. To read our in-depth guide on certificates click the link below.

WSUS Signing Certificate: What It Is & How to CreatePatch My PC

If a self-signed certificate managed by Configuration Manager, is acceptable for your organization complete the steps below.

Self Signed - Configuration Manager Managed

If you are running SCCM 1806 or newer, you can enable the option for “Configuration Manager manages the certificate” in the Software Update Point configuration. To configure this setting complete the following steps.

Begin by opening the configuration manager console and then

Select Administration
Expand Site Configuration and select sites
Select your topmost Site (If you have a CAS, select the CAS) - Right click the site
Select Configure Site Components
Select Software Update Point from the fly-out.

This will open up the software update point management component tab. From this window complete the following steps if not already done.

Select the Third Party Updates Tab
Validate Enable third-party software updates is checked.
Validate Configuration Manager manages the certificate option is selected.
Select Apply

If your software update point site system is remote from the site server, SSL needs to be configured on WSUS for the option Configuration Manager manages the certificate to work. If SSL is not configured in this scenario, you will need to use an alternative method described here create and deploy the WSUS signing certificate.

Note: Switching WSUS to require SSL does not require client authentication certificates on all devices, it only requires a SSL certificate on the WSUS server that clients trust.

Once enabled, SCCM will automatically generate the signing certificate during the next software update point sync. You can force a software update point sync at any time. To force a software update point sync, complete the following steps.

Browse to Software Library
Expand and Software Updates > Right-click All Software Updates
Select Synchronize Software Updates
Hit OK on the pop-up message.

If you want to watch, and confirm the certificate is properly created, you can open the wsyncmgr.log this log is located in %ConfigMgr Install Directory%\Logs\wysnmgr.log. Alternatively, you can click the button displayed below in the Publisher General Tab.

The Open wsyncmgr.log will only show up if the Publisher is installed on the site server. This may not be the case if your top-level software update point is not the site server.

With the log file open you'll want to watch for the entry stating the certificate was inserted. This indicates the certificate has been generated and is ready to be used.