This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Error creating self-signing certificate [WS2012 or above]

Summary

On systems running Windows Server 2012, 2012R2, 2016 - WSUS no longer issues self-signed certificates as this is disabled by default by Microsoft. You can use a workaround to enable the feature in the machine registry and thus you can go around the problem.

Symptoms

You are integrating the Software Vulnerability Manager for the first time, or you are just configuring a new machine with the interface. After connecting to the deployment server, you attempt to create a certificate in the second step of the Software Vulnerability Manager integration wizard for WSUS/System Center Configuration Manager. 

Your account has been added as a member of the WSUS-local security group WSUS Administrators.
Your account is at least a Local Administrator on the local system as well.
You have started Internet Explorer with the 'Run as Administrator' option (needed for UAC bypass)
Even so, certificate creation fails with an error and it does not allow you to move along with your setup.

Cause

Microsoft has disabled the WSUS feature that allows you to create a WSUS self-signed certificate on Server 2012 R2.The Software Vulnerability Manager can issue a code-signing certificate through this feature by requesting Windows to create one through the WSUS Certificate Server service.

This is the default in SVM. It is only provided as a minimal alternative for cases when it's possible to get a private CA-issued certificate quickly and it is needed to patch. Flexera advises you to use private certificate for improved security. 

Resolution

It is possible to restore the legacy behavior on Windows Server 2012, 2012R2 and 2016 by setting a registry key. Open Regedit on the WSUS server and go to:

 HKLM\Software\Microsoft\Update Services\Server\Setup\

Create DWORD with value:

EnableSelfSignedCertificates = 1

Your server should no longer deny you the request for issuing a WSUS Self-signed certificate while the setting remains enabled (1). Retry to create the certificate through Software Vulnerability Manager. 

References

http://blogs.technet.com/b/wsus/archive/2013/08/15/wsus-no-longer-issues-self-signed-certificates.aspx

on ‎Nov 15, 2018 07:36 PM - edited on ‎Sep 19, 2019 06:02 PM by Level 7 Flexeran

Was this article helpful? Yes No
No ratings
0 Kudos
Version history
Last update:
‎Sep 19, 2019 06:02 PM
Updated by:
Level 7 Flexeran