WSUS Product Team Blog

WSUS Product Team thoughts, information, tips and tricks and beyond :-)

WSUS no longer issues self-signed certificates

WSUS no longer issues self-signed certificates

  • Comments 13
  • Likes

We've had some questions recently about why WSUS in Windows Server 2012 R2 no longer supports generating self-signed certificates for signing update packages. We disabled this feature because it was causing a significant management burden for those using the feature, and it duplicated functionality that already exists in Windows Server Certificate Services (and other products).

  • Distribution. After WSUS generates a certificate suitable for self-signing of packages, significant effort was required to export and install this self-signed certificate into all of the clients that needed to verify packages signed by it.
  • Expiration. When the self-signed certificate expires, WSUS offered no functionality to notify you that the signatures were no longer valid. This resulted in failed updates, and other hard to diagnose failures.
  • Certificate Updates/Revocation. If you wanted to update or revoke a certificate (i.e. after discovering that it expired), WSUS offered no functionality to enable this. Accomplishing this turned into a manual task that was very hard to either do by hand or automate successfully.

If you still want to distribute signed updates, you have several options:

  • Install Windows Server Certificate Services. This is an in-box feature of Windows Server 2003 and beyond, and is designed to address exactly these issues.
  • Create and Install your own certificate. Many tools exist to generate a self-signed certificate. After generating one, you can install it in your WSUS server and distribute it as you did before, using the SetSigningCertificate API. You’ll still need to take care of distribution and revocation yourself, but WSUS will monitor your custom certificate and let you know when it’s nearing expiration.

WSUS will still be able to sign packages using any registered signing certificates. If you already are using a self-signed certificate that WSUS generated, you can continue to use that certificate for as long as it meets your needs.

Please continue to read the "What's new in R2" blog series for more updates and discussions of new features in Windows Server 2012 R2!

Thanks,
The WSUS Team

Update: Workaround Details

While WSUS will not generate self-signed certificates by default, it is possible to restore the legacy behavior by setting the following registry key: 

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup\
  • Create DWORD value: EnableSelfSignedCertificates = 1

Please note that the CreateSelfSignedCertificate API is still considered deprecated and may be removed in a future version of Windows.

Comments
  • Great to get implement .

  • Is there a Hotfix for SCUP, because it is still wants a cert, but can't find the WSUS Cert?  or is the bottomline solution I have to create my own,

  • @Bob- If WSUS already has a self-signed certificate, that certificate will continue working. You'll only need to use the workaround above if you want to create a *new* self-signed certificate using WSUS (which is not recommended)

  • @Ben - As Bob mentioned here, with R2 WSUS not having a certificate, when using SCUP 2011 you get the message "The test connection succeeded. However, no signing certificate was detected for the update server. You will not be able to publish content to the update server without first registering a signing certificate." At the moment, it seems that if we want to use SCUP 2011 in tandem with WSUS on 2012 R2 we need to go use the legacy feature of generating and associating a self signed certificate which the whole change was meant to remove. Will SCUP be released in a new flavour soon to support the new 2012 R2 feature of Certificate free updates on WSUS, or will a hot-fix be released, or is it something we have to live with?

  • @Cato and MSFT, I too want the same thing Cato is stating.

  • @Cato @David, thanks for the feedback. I have passed it along to the SCUP team.

  • @Cato @David, the following link might help you resolve the issue you referred to in your comments. The SCUP team has a blog post for workarounds of this issue here: http://blogs.technet.com/b/configmgrteam/archive/2013/12/11/system-center-updates-publisher-2011-support-statement-update.aspx

  • I have my SCUP configured per this article, but I'm getting some odd results, as documented here -

    http://social.technet.microsoft.com/Forums/en-US/9f239429-1ad7-49d1-baa2-6680bf92769d/cant-expire-published-updates-from-scup-2011-verification-of-file-signature-failed-for-file-etc?forum=configmanagersecurity

    Thoughts?

  • I have the following to be untrue, at least for me.

    @Bob- If WSUS already has a self-signed certificate, that certificate will continue working. You'll only need to use the workaround above if you want to create a *new* self-signed certificate using WSUS (which is not recommended)

  • For our product, we needed to add the following registry entry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Update Services\Server\Setup

    Create DWORD value: EnableSelfSignedCertificates = 1

  • WSS cert store is missing on Server 2008.
    Ideas?

  • this workaround worked for me. SCUP 2011 + server 2012 R2 + SCCM 2012 R2

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment