WSUS no longer issues self-signed certificates

  • Article

We've had some questions recently about why WSUS in Windows Server 2012 R2 no longer supports generating self-signed certificates for signing update packages. We disabled this feature because it was causing a significant management burden for those using the feature, and it duplicated functionality that already exists in Windows Server Certificate Services (and other products).

  • Distribution. After WSUS generates a certificate suitable for self-signing of packages, significant effort was required to export and install this self-signed certificate into all of the clients that needed to verify packages signed by it.
  • Expiration. When the self-signed certificate expires, WSUS offered no functionality to notify you that the signatures were no longer valid. This resulted in failed updates, and other hard to diagnose failures.
  • Certificate Updates/Revocation. If you wanted to update or revoke a certificate (i.e. after discovering that it expired), WSUS offered no functionality to enable this. Accomplishing this turned into a manual task that was very hard to either do by hand or automate successfully.

If you still want to distribute signed updates, you have several options:

  • Install Windows Server Certificate Services. This is an in-box feature of Windows Server 2003 and beyond, and is designed to address exactly these issues.
  • Create and Install your own certificate. Many tools exist to generate a self-signed certificate. After generating one, you can install it in your WSUS server and distribute it as you did before, using the SetSigningCertificate API. You’ll still need to take care of distribution and revocation yourself, but WSUS will monitor your custom certificate and let you know when it’s nearing expiration.

WSUS will still be able to sign packages using any registered signing certificates. If you already are using a self-signed certificate that WSUS generated, you can continue to use that certificate for as long as it meets your needs.

Please continue to read the "What's new in R2" blog series for more updates and discussions of new features in Windows Server 2012 R2!

Thanks,
The WSUS Team

Update: Workaround Details

While WSUS will not generate self-signed certificates by default, it is possible to restore the legacy behavior by setting the following registry key: 

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup\
  • Create DWORD value: EnableSelfSignedCertificates = 1

Please note that the CreateSelfSignedCertificate API is still considered deprecated and may be removed in a future version of Windows.

Comments

  • Anonymous
    January 01, 2003
    @Cato @David, thanks for the feedback. I have passed it along to the SCUP team.

  • Anonymous
    January 01, 2003
    @Cato @David, the following link might help you resolve the issue you referred to in your comments. The SCUP team has a blog post for workarounds of this issue here: http://blogs.technet.com/b/configmgrteam/archive/2013/12/11/system-center-updates-publisher-2011-support-statement-update.aspx

  • Anonymous
    January 01, 2003
    @Bob- If WSUS already has a self-signed certificate, that certificate will continue working. You'll only need to use the workaround above if you want to create a new self-signed certificate using WSUS (which is not recommended)

  • Anonymous
    January 01, 2003
    this workaround worked for me. SCUP 2011 + server 2012 R2 + SCCM 2012 R2

  • Anonymous
    August 16, 2013
    Great to get implement .

  • Anonymous
    December 11, 2013
    Is there a Hotfix for SCUP, because it is still wants a cert, but can't find the WSUS Cert?  or is the bottomline solution I have to create my own,

  • Anonymous
    January 15, 2014
    The comment has been removed

  • Anonymous
    January 28, 2014
    @Cato and MSFT, I too want the same thing Cato is stating.

  • Anonymous
    January 28, 2014
    Published on configuration manager team blog as well: http://blogs.technet.com/b/configmgrteam/archive

  • Anonymous
    May 12, 2014
    The comment has been removed

  • Anonymous
    June 24, 2014
    I have the following to be untrue, at least for me.

    @Bob- If WSUS already has a self-signed certificate, that certificate will continue working. You'll only need to use the workaround above if you want to create a new self-signed certificate using WSUS (which is not recommended)

  • Anonymous
    July 11, 2014
    For our product, we needed to add the following registry entry:

    HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftUpdate ServicesServerSetup

    Create DWORD value: EnableSelfSignedCertificates = 1

  • Anonymous
    September 08, 2014
    WSS cert store is missing on Server 2008.
    Ideas?

  • Anonymous
    November 18, 2014
    Hi Everybody i need your help.

    PublishItem: Exception occurred during publishing: CreateDirectory failed

  • Anonymous
    May 19, 2015
    ~ Subbulakshmi Kumar | Support Engineer
    System Center Updates Publisher (SCUP) is an independent tool

  • Anonymous
    June 05, 2015
    Adding the DWORD as described in the workaround allowed us to successfully create the self signed certificate through SCUP 2011 with SCCM 2012 R2 and Server 2012 R2.

  • Anonymous
    July 16, 2015
    @atom.acres. How do you manage to make it work? We have our certificate installed on the Windows Server 2012 R2 but still SCUP 2011 isblind...

  • Anonymous
    July 28, 2015
    Anyone seen adding the reg key not work? I have added the key to the location listed in the workaround, and the location mentioned by "Gordon Crooks" and it will still NOT create the self-signed cert. Server 2012 R2. Works perfectly in my lab environment on the same OS.

  • Anonymous
    September 21, 2015
    Yes, same as Gamby35 here, added the reg key and the cert will not be created after hitting "create" button on server 2012r2.

  • Anonymous
    November 20, 2015
    Tried this hotfix but does not work, we have SCCM 2012 R2 + WSUS on server 2012 R2, and when used with SCUP 2011, it cannot use the Create button to generate certificate. Always says certificate not found on server.

  • Anonymous
    August 31, 2016
    Hi guys,Sorry if this is going to the wrong place. I have a Server 2012 R2 Standard and WSUS is freshly setup which sits together with my AD. The WSUS console (on the same server) is currently using port 8530 to connect to the Update Services.I need to change my current WSUS environment to use SSL which is port 8531 and I will be using the WSUS self-signed certificate because I have no Certificate Authority setup in my environment and I'm trying to avoid doing so (due to some reasons). I have edited the Registry setting as above and rebooted the server and now I'm pretty stucked at what to do next and I hope you guys can help me out here.I believe my next steps are:1. Generate a WSUS self-signed certificate2. Configure WSUS in IIS to use the self-signed certificateIf the above next steps are correct, can anyone guide me on the steps to perform them? Believe me....I have tried googling for "creating self-signed certificate for WSUS" but nothing much came up.

    • Anonymous
      September 20, 2016
      Self-signed means that WSUS is the one that generates it. Since WSUS no longer does this, you'll have to generate the certificate separately via your own Certification Authority, or using one of the public CA services (e.g., VeriSign, Entrust) to procure a certificate for this purpose.