This article provides the steps required to swap your WSUS self-signed certificate or your CA-private code-signed certificate in WSUS when the old certificate has expired.
Before you start
- Make sure Internet Explorer Enhanced Security Configuration is disabled.
- Start Internet Explorer with "Run as Administrator."
Replace WSUS self-signed certificate
- Enable your WSUS server to issue self-signed certificates.
On Windows Server 2012, 2012R2, and 2016, open Regedit on the WSUS server and go to:
HKLM\Software\Microsoft\Update Services\Server\Setup\
Create DWORD with value:
EnableSelfSignedCertificates = 1
- If you are generating a WSUS Code-Signing Certificate through the SVM Integration wizard, you must remove the previous certificate copy before you generate the new certificate. You'll receive errors if you generate the new certificate while there's an old one already in WSUS.
Remove the old expired certificate with Powershell (ran as Admin)
Verify that there is only one copy, the expired one.
dir cert:\LocalMachine\WSUS\
Delete all certificates if there is only one copy in the location.
del cert:\LocalMachine\WSUS\*
If there are more copies on the server, follow the steps in Install the WSUS code-signing certificate with Powershell to find additional methods via PowerShell to see which certificate has the private key.
- Issue the WSUS Self-Signed certificate directly through the Software Vulnerability Manager integration wizard at step two, following the steps outlined in WSUS/System Center: Step 2 – Certificate Status.
Replace CA-issued private certificate
- Review the requirements for the parameters of the code-signing certificate in SVM Integration with WSUS API Explained.
- Issue your CA private certificate for code-signing purposes through your certificate authority and export it to the file system as a PFX file.
- Import the certificate in WSUS using PowerShell.
If you have imported a private CA Code-Signing certificate, you'll see three copies: one has a private key, and the others have only public keys. It may be necessary to move the "Intermediate" certificate to the "Intermediate CA" folder and place the top root under the "Trusted Root CAs" store.
Additional notes
- You'll need to export a public copy of the certificate to the WSUS location and re-import the new certificate entity to the existing GPO that replaces the expired copies. For details, see Create the WSUS-CSI Group Policy Manually.
- If errors appear throughout this process, confirm that no GPO is blocking your user in their system rights.