Forcing WSUS to use our trusted Root Cert to sign all 3rd party updates. RRS feed

  • Question

  • I promise to give more details as you need them, but for now I am going to start the question simple.


    Windows Server 2016

    SCCM - latest branch

    WSUS 10.1

    ManageEngine's Patch Connect Plus


    Currently WSUS is working with SCCM properly, there are no communication error.  WSUS will download updates from Microsoft and SCCM can download it and create Update package.  We want to do this for all 3rd party updates as well.  We are using ManageEngines software Patch Connect Plus which pushes the updates through WSUS to SCCM.  This works if i am using the self-signed cert created by WSUS.  But I don't want to do that.  We have a Trusted Root cert we want to use.  So I want WSUS to sign all updates (specially 3rd party) using this cert.  And I found a section in a Technet article (hh852346) which states in Section 3.6:

    3.6. Configure a Signing Certificate
    WSUS has the ability to publish custom update packages to update Microsoft and non-Microsoft products. WSUS can automatically sign these custom update packages for you with an Authenticode certificate. To enable custom update signing, you must install a package signing certificate on your WSUS server. There are several considerations associated with custom update signing.
    1. Certificate Distribution. The private key must be installed on the WSUS server, and the public key must be explicitly installed in the trusted certificate store on all client PCs and servers which are to receive custom-signed updates.
    2. Expiration. When the self-signed certificate expires or nears expiration, WSUS will log events in the event log.
    3. Certificate Updates/Revocation. If you wanted to update or revoke a certificate (i.e. after discovering that it expired), WSUS offered no functionality to enable this. Accomplishing this turned into a manual task that was very hard to either do by hand or automate successfully.

    But, what I don't get is how to make sure WSUS to do that.  Thank you.

    Wednesday, September 27, 2017 10:53 PM

All replies

  • Hi Sir,

    AFAIK , import signing certificate is the feature of the software which used to push updates to WSUS server (With using SCUP to push updates):


    I'd suggest you to check if there is any document of the Software you are using mentioned how to achieve that.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Elton_Ji Tuesday, October 10, 2017 3:05 AM
    Friday, September 29, 2017 10:50 AM