How to create, export and import a self-signed WSUS certificate
This document describes how you can use the Matrix42 Patch plug-in to generate a self-signed certificate and to export/import this certificate to the correct locations.
How to create a self-signed certificate
Once you have established SSL-based connection to your WSUS Server, you can use the options under Matrix42 Patch Settings -> WSUS Server to create a self-signed certificate.
To do so, please perform the following steps:
1. Open the SCCM console and go to M42 Patch Catalog.
- First you should test the connection to ensure that you have connected to your WSUS Server successfully via SSL.
- Then click "Create a self-signed certificate".
You must open the console as Administrator, since machine-related certificates must be installed during this process.
In case you have performed the steps described above and the following error message is displayed, this error can have the following causes.
- The user has not been added to the group of administrators on SCCM and/or WSUS Server.
- The user has not launched the SCCM console as Administrator.
- The connection to WSUS Server is disabled or not SSL-encrypted.
A warning is displayed, providing important information on what to do with the certificate.
How to export the certificate
1. Export the certificate to be able to distribute it, as needed. Click the "Export" button in the M42 patch settings. You will be prompted to save the certificate. A copy of the certificate is required for the following steps.
How to import the certificate
You can either use the GPO (information can be found here) or use the MMC for manual distribution.
For manual distribution via the MMC you must proceed as follows:
1. Open the MMC (as Administrator) -> Open-> Add snap-in -> Certificates (computer account and local computer)
2. Under Certificates, go to -> Trusted root certificates -> right-click -> All tasks -> Import.
3. The Certificate Import Wizard is launched. Select the certificate you have exported and then click Next.
4. Ensure that "Trusted Root Certification Authorities" is selected as certificate store. Then click Next to finish the wizard. Now a message should be displayed to inform you that the import has been completed successfully.
5. Ensure that the certificate has been stored correctly; its name is "WSUS Publishers Self-signed".
6. Repeat the same steps for the "Trusted Publisher" section.
Help on how to distribute the certificates via GPO can be found here.