This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

A new Flexera Community experience is coming on November 18th, click here for more information.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Replace an expired WSUS self-signed certificate or CA-issued private certificate

This article provides the steps required to swap your WSUS self-signed certificate or your CA-private code-signed certificate in WSUS when the old certificate has expired. 

Before you start

  • Make sure Internet Explorer Enhanced Security Configuration is disabled.
  • Start Internet Explorer with "Run as Administrator."

Replace WSUS self-signed certificate

  1. Enable your WSUS server to issue self-signed certificates.

On Windows Server 2012, 2012R2, and 2016, open Regedit on the WSUS server and go to:

 HKLM\Software\Microsoft\Update Services\Server\Setup\

Create DWORD with value:

EnableSelfSignedCertificates = 1

  1. If you are generating a WSUS Code-Signing Certificate through the SVM Integration wizard, you must remove the previous certificate copy before you generate the new certificate. You'll receive errors if you generate the new certificate while there's an old one already in WSUS.

Remove the old expired certificate with Powershell (ran as Admin)

Verify that there is only one copy, the expired one.

dir cert:\LocalMachine\WSUS\

Delete all certificates if there is only one copy in the location.

del cert:\LocalMachine\WSUS\*

If there are more copies on the server, follow the steps in Install the WSUS code-signing certificate with Powershell to find additional methods via PowerShell to see which certificate has the private key.

  1. Issue the WSUS Self-Signed certificate directly through the Software Vulnerability Manager integration wizard at step two, following the steps outlined in WSUS/System Center: Step 2 – Certificate Status.

Replace CA-issued private certificate

  1. Review the requirements for the parameters of the code-signing certificate in SVM Integration with WSUS API Explained.
  2. Issue your CA private certificate for code-signing purposes through your certificate authority and export it to the file system as a PFX file.
  3. Import the certificate in WSUS using PowerShell.

If you have imported a private CA Code-Signing certificate, you'll see three copies: one has a private key, and the others have only public keys. It may be necessary to move the "Intermediate" certificate to the "Intermediate CA" folder and place the top root under the "Trusted Root CAs" store.

Additional notes

  • You'll need to export a public copy of the certificate to the WSUS location and re-import the new certificate entity to the existing GPO that replaces the expired copies. For details, see Create the WSUS-CSI Group Policy Manually.
  • If errors appear throughout this process, confirm that no GPO is blocking your user in their system rights. 

on ‎Oct 11, 2019 05:18 AM - edited on ‎May 22, 2024 12:34 PM by Community Manager Community Manager

Was this article helpful? Yes No
0% helpful (0/1)
0 Kudos
Version history
Last update:
‎May 22, 2024 12:34 PM
Updated by:
Community Manager Community Manager