Importing a CA cert requires an SSL connection to WSUS. Information about this requirement can be found in this document: How To: Configure IIS to Use SSL Connections on Your WSUS Server - Self-Signed Certificate
1 of 1 people found this helpful
Not sure if you have WSUS setup or not, but for the WSUS certificate I am using the same certificate as my SCCM server because their on the same server, just bind it in IIS to the "WSUS Administration" site. It is a normal "Server Authentication" template. Skip the steps in the link above for self-signed and use your Enterprise Issued Certificate. Do the other steps to bind the Enterprise certificate to and enabling the SSL with command line: "wsusutil configuressl ur-fqdn.domain.com".
As for the certificate to load into Shavlik. Ensure you are using a "Code Signing" certificate template when you generate the Enterprise CA certificate. This one will be for your WSUS Trusted Publisher. Export it with key to be used in the Shavlik plugin/addon. Export a second time WITHOUT key as DER encoded CER file. This one then gets put in your GPO to push to client computers and server machines "Trusted Publishers". Without this clients won't be able to use the certificate for Software Update. As a side bonus you can use this for signing PowerShell scripts also and clients will honor it since it is a Trusted Publisher. You do NOT need to put this in the clients "Trusted Root Certification Authorities" as many articles say, since it is signed with your Root CA/Intermediate Signing CA and domain joined machines will Trust these CAs. Once those are done, ensure SCCM server/WSUS/Admin workstation especially have the Trusted Certificate (gpupdate /force) and verify with "certutil -viewstore -grouppolicy TrustedPublisher". Then just use Shavlik interface in SCCM to import the Trusted Publisher exported PFX with key.
Good to go!
In addition to this, when updating the WSUS certificate in the Shavlik/Ivanti plugin in SCCM, make sure:
1) You are logged onto the Windows Server with an account that has rights in SCCM;
2) When you fire up SCCM console, run as administrator, not as another user.
Being new to the organisation, I was logged into Windows with an admin account, but did not yet have SCCM rights, so the SCCM console was run as a separate admin account with rights in SCCM. That caused errors when testing the connection to WSUS & when changing the code signing certificate for WSUS, because UAC is overly restrictive.
After a few days of 2 of us thinking our CA provided certificate was not right, having finally got my SCCM rights I was able to run as admin rather than as another admin user & it went through perfectly.
Here's the link I finally stumbled upon that cleared the way forward: Shavlik Patch Cannot Connect to WSUS Server