Creating, Exporting And Importing A WSUS Self-Signed Certificate With The Shavlik Patch Plugin

Version 7


    This document will show you how to use the Shavlik Patch Plugin to create a self-signed certificate, and then how to export/import the created certificate to the correct locations.



    Creating the self-signed certificate


    If you have successfully connected to your WSUS server via SSL you will be able to create a self-certificate through the Shavlik Patch Settings > WSUS Server options.


    Here are the steps:


    1. Open the Shavlik Patch Settings window by right clicking on Shavlik Patch, then click Settings.

        Note: Shavlik Patch will be under Software Library > Software Updates.



    2. Within the Shavlik Patch Settings, on the WSUS Server tab:

        -First ensure you have an SSL connection to your WSUS server. Test the connection to ensure it's working.

        -Then click the 'Create a self-signed certificate' button.



    NOTE: If you receive the following error, resort to this document (Error Creating a Self-signed Certificate) before proceeding to the next steps:




    If you do not see the above error, continue with the steps below.


    3. You'll receive a warning message that gives you some straight-forward information about what should be done with the certificate. Click OK.



    4. Export the certificate so you can distribute it as needed. Click the 'Export' button within the Shavlik Patch Settings. You will be prompted to save the certificate. You will need a copy of the certificate for the following steps so make sure you will be able to copy this file to other computers/locations.



    Importing the certificate


    On any systems where you need to distribute the certificate, you can either use GPO to push the certificate which is covered in a technet blog here, or you can manually do so via MMC using the steps below:


    1. Open MMC. Make sure to run as an Administrator.

        Note: In the screenshot below the Start menu is set to use a third party app called Classic Shell so it may appear different from your 2012 server.



    2. File > Add/Remove Snap-in



    3. Highlight Certificates > click Add.



    4. Choose 'Computer account'. Click Next.



    5. Leave defaults under 'Select Computer'. Click Finish.



    6. Expand Certificates. Expand Trusted Root Certification Authorities. Right click Certificates, then choose All Tasks > Import.



    7. This brings up the Certificate Import Wizard. Click Next.



    8. This is where you will need a copy of the self-signed certificate generated earlier. Browse to and choose the certificate, then click Next.



    9. Make sure you are placing the cert in the correct certificate store (Trusted Root Certification Authorities for this step). Click Next.



    10. You will be given a summary. Click Finish.



    11. You should receive a message stating 'The import was successful.' Click OK.



    12. Verify you now see the self-signed certificate listed. It should appear as 'WSUS Publishers Self-signed'.



    13. Repeat the same steps for Trusted Publishers.



    14. You should end up with the WSUS Self-signed certificate under both Trusted Root Certification Authorities > Certificates and Trusted Publishers > Certificates.



    Additional Information


    For more information, refer to the Shavlik Patch Guide, and see the section APPENDIX A : CREATING AND DISTRIBUTING CERTIFICATES

    A Guide to Deploy Certificates by Using Group Policy exists at

    Affected Product(s)


    Shavlik Patch for Microsoft System Center