Create a WSUS publishing certificate for third-party publishing

Check out this video (2:08) for an overview on how to generate a WSUS self-signed publishing certificate.

Beginning with Microsoft Windows Server 2012 R2, WSUS no longer issues self-signed certificates for signing packages. To prevent errors when you publish updates, run the Server Publishing Setup Wizard and generate the WSUS self-signed publishing certificate for the Patch Manager server certificate store. This process enables the WSUS server to publish third-party updates and custom packages to the managed systems.

If you installed Patch Manager on a dedicated server and chose not to allow the application to automatically deploy the SolarWinds WMI Providers, the Server Publishing Setup Wizard is disabled. Manually deploy the WMI Providers to the WSUS server or distribute the publishing certificate using the Group Policy.

If you cannot create a self-signed WSUS certificate using the Publishing Setup Wizard, see this KB article for troubleshooting and resolution.

  1. Log in to the Patch Manager Administrator Console as an administrator.
  2. In the navigation pane, maximize Administration and Reporting and select Software Publishing.

  3. Click Server Publishing Setup Wizard in the Actions column.
  4. In the Provision WSUS Server for Publishing Wizard, click the WSUS Server drop-down menu and select the upstream WSUS server that requires a certificate.

    In this example, SPM-MGOM is the WSUS server added to Patch Manager.

  5. Select Create self-signed certificate and Add a registry key for WSUS, and then click Next.

    If the WSUS server is provisioned with a certificate, a dialog box displays to verify your decision.

  6. Select the Patch Manager servers, upstream servers, and downstream WSUS servers that require the publishing certificate, and click Next.

  7. Complete the Provision WSUS Server for Publishing wizard.
  8. In the Summary window, click Finish to continue.
  9. Review the information in the WSUS Client Certificate and GPO Management window, and click OK.

    The certificate is signed and distributed to the Patch Manager server and all managed servers in your deployment.

  10. Select the WSUS server in Patch Manager menu.

  11. Click Refresh Update Server in the Actions column.

    Always refresh the update server (WSUS server) whenever you create a certificate.

    The certificate is signed and distributed to the Patch Manager server and all managed servers in the deployment.

  12. Click Software Publishing Certificate in the Actions column to view the certificate.

  13. Import the certificate to your Group Policy. See Configure clients using Group Policy in the Patch Manager Administrator Guide for details.

    Key local stores that require the certificate on client servers and the SCCM server include Trusted Root Certification Authorities and Trusted Publishers stores.