We've had some questions recently about why WSUS in Windows Server 2012 R2 no longer supports generating self-signed certificates for signing update packages. We disabled this feature because it was causing a significant management burden for those using the feature, and it duplicated functionality that already exists in Windows Server Certificate Services (and other products).
If you still want to distribute signed updates, you have several options:
WSUS will still be able to sign packages using any registered signing certificates. If you already are using a self-signed certificate that WSUS generated, you can continue to use that certificate for as long as it meets your needs.
Please continue to read the "What's new in R2" blog series for more updates and discussions of new features in Windows Server 2012 R2!
Thanks, The WSUS Team
While WSUS will not generate self-signed certificates by default, it is possible to restore the legacy behavior by setting the following registry key:
Please note that the CreateSelfSignedCertificate API is still considered deprecated and may be removed in a future version of Windows.
Great to get implement .
Is there a Hotfix for SCUP, because it is still wants a cert, but can't find the WSUS Cert? or is the bottomline solution I have to create my own,
@Bob- If WSUS already has a self-signed certificate, that certificate will continue working. You'll only need to use the workaround above if you want to create a *new* self-signed certificate using WSUS (which is not recommended)
@Ben - As Bob mentioned here, with R2 WSUS not having a certificate, when using SCUP 2011 you get the message "The test connection succeeded. However, no signing certificate was detected for the update server. You will not be able to publish content to the update server without first registering a signing certificate."
At the moment, it seems that if we want to use SCUP 2011 in tandem with WSUS on 2012 R2 we need to go use the legacy feature of generating and associating a self signed certificate which the whole change was meant to remove.
Will SCUP be released in a new flavour soon to support the new 2012 R2 feature of Certificate free updates on WSUS, or will a hot-fix be released, or is it something we have to live with?
@Cato and MSFT, I too want the same thing Cato is stating.
@Cato @David, thanks for the feedback. I have passed it along to the SCUP team.
@Cato @David, the following link might help you resolve the issue you referred to in your comments. The SCUP team has a blog post for workarounds of this issue here: http://blogs.technet.com/b/configmgrteam/archive/2013/12/11/system-center-updates-publisher-2011-support-statement-update.aspx