Certificates

When working with a Configuration Manager or WSUS implementation, proper certificate configuration is crucial. One way Microsoft helps ensure an update is considered secure and from a trusted source is through the utilization of a code signing certificate. This requirement means all custom updates must be code signed before injection into WSUS. We provide a couple of different ways to configure the certificate.

• Creating the WSUS Signing Certificate using Patch My PC’s Publisher

• Import a PKI Based Certificate Using Patch My PC’s Publisher

To read our in-depth guide on certificates click the link below.

In the steps below, we'll walk through creating a self-signed certificate using Patch My PC's Publisher.

Create WSUS Signing Certificate Using the Patch My PC Publisher

1. Select Generate a Self-Signed Certificate in the Publisher.

2. By default, it will be set to 5 years but you can change the number of years the certificate is valid for.

3. The other configuration you get from the publisher is that by default we do allow the private key to be exported. The benefit with that is that you do have the ability, if you move to a different WSUS server, to export the code-signing certificate generated through our tool and import that with the private key. This would allow you to use the same WSUS signing certificate that you were using on the previous WSUS server. That way you do not have to worry about potential clients having to get the certificate redistributed and trusted. The downside, from a security perspective, is that some people may not want that to be exportable because it could allow somebody to use that key in other places.

4. Click Generate Certificate. Once that is done we should have the certificate created and we'll be ready to start publishing updates to WSUS.