Showing results for 
Show  only  | Search instead for 
Did you mean: 


This article provides extended overview of the steps required to perform a swap of your WSUS Self-Signing certificate, or your CA-private code-signing certificate at WSUS, when the old one has expired and you need a new one. 


1. You must decide what type of certificate you are going to use :

1.1 WSUS Self-Signed Certificate?
1.2 CA-issued private certificate?

1.1.a) You can issue the WSUS Self-Signed certificate directly through the Software Vulnerability Manager integration wizard, at step 2, following the steps outlined here, but first you must use the other existing KB article in this community to enable your WSUS server to issue such certificates. 

1.2.a) You can issue your own CA private certificate with code-signing purpose through your certificate authority, export it on the file system as a PFX file, and then import it in WSUS using Powershell. All requirements for the parameters of the code-signing certificate can be found in this KB article. 

Relevant Notes

1. If you are generating WSUS Code-Signing Certificate through SVM Integration wizard, you must mandatory remove the previous certificate copy before you click to generate the new certificate. If you go generating the new cert while there's an old one already at WSUS, you'll end up seeing errors.

Remove the old expired certificate quicky with Powershell (ran as Admin):

#Verify that there is only one copy - the expired one
dir cert:\LocalMachine\WSUS\

#Delete all certs if there was only one copy in the location
del cert:\LocalMachine\WSUS\*

If there are more copies in the server, go back to the powershell import article I pointed above and find additional methods via powershell to find which of the certs has the Private key. You should, in all circumstances, always avoid having more than one certificate there.

In the event that you have imported a private CA Code-Signing certificate, you'll normally see 3 copies in this folder - one of them has a private key, and the others have only public keys. There's no problem having these in there, but in reality you need to take the "Intermediate" into the "Intermediate CA" folder at cert:\LocalMachine\ location, and the top root must be placed under "Trusted Root CAs" store. 

2. Additional considerations before you setup this:

a) Disable the Internet Explorer Enhanced Security Configuration if it is enabled.
b) If errors appear, do make sure to confirm that no GPO is blocking your user in their system rights 
c) Make sure you started Internet Explorer with "Run As Administrator" in all circumstances.
d) You will be required to export public copy of the certificate in the WSUS location, and then re-import the new fresh certificate entity in the existing GPO that replacing the expired copies. 

Was this article helpful? Yes No
0% helpful (0/1)
Version history
Last update:
‎Oct 11, 2019 05:18 AM
Updated by: