Importing a CA cert requires an SSL connection to WSUS. Information about this requirement can be found in this document: How To: Configure IIS to Use SSL Connections on Your WSUS Server - Self-Signed Certificate
1 of 1 people found this helpful
Not sure if you have WSUS setup or not, but for the WSUS certificate I am using the same certificate as my SCCM server because their on the same server, just bind it in IIS to the "WSUS Administration" site. It is a normal "Server Authentication" template. Skip the steps in the link above for self-signed and use your Enterprise Issued Certificate. Do the other steps to bind the Enterprise certificate to and enabling the SSL with command line: "wsusutil configuressl ur-fqdn.domain.com".
As for the certificate to load into Shavlik. Ensure you are using a "Code Signing" certificate template when you generate the Enterprise CA certificate. This one will be for your WSUS Trusted Publisher. Export it with key to be used in the Shavlik plugin/addon. Export a second time WITHOUT key as DER encoded CER file. This one then gets put in your GPO to push to client computers and server machines "Trusted Publishers". Without this clients won't be able to use the certificate for Software Update. As a side bonus you can use this for signing PowerShell scripts also and clients will honor it since it is a Trusted Publisher. You do NOT need to put this in the clients "Trusted Root Certification Authorities" as many articles say, since it is signed with your Root CA/Intermediate Signing CA and domain joined machines will Trust these CAs. Once those are done, ensure SCCM server/WSUS/Admin workstation especially have the Trusted Certificate (gpupdate /force) and verify with "certutil -viewstore -grouppolicy TrustedPublisher". Then just use Shavlik interface in SCCM to import the Trusted Publisher exported PFX with key.
Good to go!
In addition to this, when updating the WSUS certificate in the Shavlik/Ivanti plugin in SCCM, make sure:
1) You are logged onto the Windows Server with an account that has rights in SCCM;
2) When you fire up SCCM console, run as administrator, not as another user.
Being new to the organisation, I was logged into Windows with an admin account, but did not yet have SCCM rights, so the SCCM console was run as a separate admin account with rights in SCCM. That caused errors when testing the connection to WSUS & when changing the code signing certificate for WSUS, because UAC is overly restrictive.
After a few days of 2 of us thinking our CA provided certificate was not right, having finally got my SCCM rights I was able to run as admin rather than as another admin user & it went through perfectly.
Here's the link I finally stumbled upon that cleared the way forward: Shavlik Patch Cannot Connect to WSUS Server
I know this is an old post, but for what it's worth I was having the same problem when installing Ivanti Patch for SCCM. Single SCCM server w/WSUS, running Server 2016. I followed the steps for attached the SSL cert to the https binding for WSUS Administration. Only thing missing in those instructions is also checking the require SSL box for ApiRemoting30 virtual directory. Once I did that I was able to get the correct https URL returned with the wsusutil.exe command. Here are the instructions I followed that pointed me to the missing ApiRemoting30 directory: https://www.petervanderwoude.nl/post/how-to-configure-a-software-update-point-to-use-ssl-for-communicating-with-wsus/
Thank you for contributing that information as we welcome anything that will add to our knowledge base.
Im in a sort of a similar boat.
Installing SCCM Patch 2.4.
I am using a domain account that has FULL admin access to SCCM Server.
If i just launch SCCM Console, then i cannot import the certificate and SSL connection test fails.
However, if i launch SCCM console with "Run as administrator", then works fine.
So does this mean, every time i launch SCCM console, i always have to launch it with "Run as Administrator"?
I suspect so, as if i try to launch SCCM Console again normally, then same problem. Is this a normal behaviour of how this works? Or am i doing something wrong?