7 Replies Latest reply on May 15, 2018 12:16 AM by DM

    Unable to import CA-generated certificate


      We currently use SCCM and have Shavlik Patch integrated with it.  As we're having some issues with the old environment and it's upgrade time, anyhow, we've built out a brand new SCCM environment that we're in the process of migrating to.  In the NEW environment, we're unable to get the Shavlik cert (generated via our internal CA) imported.  It just pops an error that says "Error importing certificate."  I generated a new certificate, but that fails to import, as well.  They're both .pfx files. 


      We can generate a WSUS-signed cert, but we're prefer to keep using the internally generated certs, if possible.  Does anyone have any thoughts?  Is there some trick I'm missing?  It seems straightforward, but it's possible I'm having a mental moment.


      Any assistance would be greatly appreciated!



        • 1. Re: Unable to import CA-generated certificate
          Recursion SupportEmployee

          Importing a CA cert requires an SSL connection to WSUS. Information about this requirement can be found in this document: How To: Configure IIS to Use SSL Connections on Your WSUS Server - Self-Signed Certificate

          • 2. Re: Unable to import CA-generated certificate
            frazeraccount Rookie

            I followed the instructions in that document, but in step 15 when I ran the wsusutil command, the result was this:


            URL: http://<our server name>:8530


            According to the document, the result should have been:


            URL: https://<our server name>:8531


            I have stopped right there.  What happened?

            • 3. Re: Unable to import CA-generated certificate

              Not sure if you have WSUS setup or not, but for the WSUS certificate I am using the same certificate as my SCCM server because their on the same server, just bind it in IIS to the "WSUS Administration" site.  It is a normal "Server Authentication" template.  Skip the steps in the link above for self-signed and use your Enterprise Issued Certificate.  Do the other steps to bind the Enterprise certificate to and enabling the SSL with command line:  "wsusutil configuressl ur-fqdn.domain.com". 


              As for the certificate to load into Shavlik.  Ensure you are using a "Code Signing" certificate template when you generate the Enterprise CA certificate.  This one will be for your WSUS Trusted Publisher.  Export it with key to be used in the Shavlik plugin/addon.  Export a second time WITHOUT key as DER encoded CER file.  This one then gets put in your GPO to push to client computers and server machines "Trusted Publishers".  Without this clients won't be able to use the certificate for Software Update.  As a side bonus you can use this for signing PowerShell scripts also and clients will honor it since it is a Trusted Publisher.  You do NOT need to put this in the clients "Trusted Root Certification Authorities" as many articles say, since it is signed with your Root CA/Intermediate Signing CA and domain joined machines will Trust these CAs.  Once those are done, ensure SCCM server/WSUS/Admin workstation especially have the Trusted Certificate (gpupdate /force) and verify with "certutil -viewstore -grouppolicy TrustedPublisher".  Then just use Shavlik interface in SCCM to import the Trusted Publisher exported PFX with key.


              Good to go!

              1 of 1 people found this helpful
              • 4. Re: Unable to import CA-generated certificate

                In addition to this, when updating the WSUS certificate in the Shavlik/Ivanti plugin in SCCM, make sure:


                1) You are logged onto the Windows Server with an account that has rights in SCCM;

                2) When you fire up SCCM console, run as administrator, not as another user.


                Being new to the organisation, I was logged into Windows with an admin account, but did not yet have SCCM rights, so the SCCM console was run as a separate admin account with rights in SCCM. That caused errors when testing the connection to WSUS & when changing the code signing certificate for WSUS, because UAC is overly restrictive.


                After a few days of 2 of us thinking our CA provided certificate was not right, having finally got my SCCM rights I was able to run as admin rather than as another admin user & it went through perfectly.


                Here's the link I finally stumbled upon that cleared the way forward: Shavlik Patch Cannot Connect to WSUS Server

                • 5. Re: Unable to import CA-generated certificate
                  rbreneman Rookie

                  I know this is an old post, but for what it's worth I was having the same problem when installing Ivanti Patch for SCCM. Single SCCM server w/WSUS, running Server 2016. I followed the steps for attached the SSL cert to the https binding for WSUS Administration. Only thing missing in those instructions is also checking the require SSL box for ApiRemoting30 virtual directory. Once I did that I was able to get the correct https URL returned with the wsusutil.exe command.  Here are the instructions I followed that pointed me to the missing ApiRemoting30 directory: https://www.petervanderwoude.nl/post/how-to-configure-a-software-update-point-to-use-ssl-for-communicating-with-wsus/

                  • 6. Re: Unable to import CA-generated certificate
                    ddenning SupportEmployee



                    Thank you for contributing that information as we welcome anything that will add to our knowledge base.





                    • 7. Re: Unable to import CA-generated certificate
                      DM Rookie


                      Im in a sort of a similar boat.

                      Installing SCCM Patch 2.4.

                      I am using a domain account that has FULL admin access to SCCM Server.

                      If i just launch SCCM Console, then i cannot import the certificate and SSL connection test fails.

                      However, if i launch SCCM console with "Run as administrator", then works fine.

                      So does this mean, every time i launch SCCM console, i always have to launch it with "Run as Administrator"?

                      I suspect so, as if i try to launch SCCM Console again normally, then same problem. Is this a normal behaviour of how this works? Or am i doing something wrong?