The other configuration you get from the publisher is that by default we do allow the private key to be exported. The benefit with that is that you do have the ability, if you move to a different WSUS server, to export the code-signing certificate generated through our tool and import that with the private key. This would allow you to use the same WSUS signing certificate that you were using on the previous WSUS server. That way you do not have to worry about potential clients having to get the certificate redistributed and trusted. The downside, from a security perspective, is that some people may not want that to be exportable because it could allow somebody to use that key in other places.