Certificate Configuration

When working with a WSUS or Configuration Manager implementation, proper certificate configuration is crucial. Microsoft requires all updates to be signed.


When working with a Configuration Manager or WSUS implementation, proper certificate configuration is crucial. One way Microsoft helps ensure an update is considered secure and from a trusted source is through the utilization of a code signing certificate. This requirement means all custom updates must be code signed before injection into WSUS. We provide a couple of different ways to configure the certificate.

To read our in-depth guide on certificates click the link below.

In the steps below, we'll walk through creating a self-signed certificate using Patch My PC's Publisher.

Create WSUS Signing Certificate Using the Patch My PC Publisher

  1. Select Generate a Self-Signed Certificate in the Publisher.

  2. By default, it will be set to 5 years but you can change the number of years the certificate is valid for.

  3. The other configuration you get from the publisher is that by default we do allow the private key to be exported. The benefit with that is that you do have the ability, if you move to a different WSUS server, to export the code-signing certificate generated through our tool and import that with the private key. This would allow you to use the same WSUS signing certificate that you were using on the previous WSUS server. That way you do not have to worry about potential clients having to get the certificate redistributed and trusted. The downside, from a security perspective, is that some people may not want that to be exportable because it could allow somebody to use that key in other places.

  4. Click Generate Certificate. Once that is done we should have the certificate created and we'll be ready to start publishing updates to WSUS.

Note: After the signing certificate is created, you will need to decide on how you want to deploy the WSUS signing certificate to your devices. The following article goes over the different options available for how to do that: https://patchmypc.com/how-to-deploy-the-wsus-signing-certificate-for-third-party-software-updates

Last updated