4 Replies Latest reply on Jul 13, 2017 7:40 AM by eddiejc-dyson

    Unable to import CA-generated certificate


      We currently use SCCM and have Shavlik Patch integrated with it.  As we're having some issues with the old environment and it's upgrade time, anyhow, we've built out a brand new SCCM environment that we're in the process of migrating to.  In the NEW environment, we're unable to get the Shavlik cert (generated via our internal CA) imported.  It just pops an error that says "Error importing certificate."  I generated a new certificate, but that fails to import, as well.  They're both .pfx files. 


      We can generate a WSUS-signed cert, but we're prefer to keep using the internally generated certs, if possible.  Does anyone have any thoughts?  Is there some trick I'm missing?  It seems straightforward, but it's possible I'm having a mental moment.


      Any assistance would be greatly appreciated!



        • 1. Re: Unable to import CA-generated certificate
          Recursion SupportEmployee

          Importing a CA cert requires an SSL connection to WSUS. Information about this requirement can be found in this document: How To: Configure IIS to Use SSL Connections on Your WSUS Server - Self-Signed Certificate

          • 2. Re: Unable to import CA-generated certificate
            frazeraccount Rookie

            I followed the instructions in that document, but in step 15 when I ran the wsusutil command, the result was this:


            URL: http://<our server name>:8530


            According to the document, the result should have been:


            URL: https://<our server name>:8531


            I have stopped right there.  What happened?

            • 3. Re: Unable to import CA-generated certificate
              croth2 Apprentice

              Not sure if you have WSUS setup or not, but for the WSUS certificate I am using the same certificate as my SCCM server because their on the same server, just bind it in IIS to the "WSUS Administration" site.  It is a normal "Server Authentication" template.  Skip the steps in the link above for self-signed and use your Enterprise Issued Certificate.  Do the other steps to bind the Enterprise certificate to and enabling the SSL with command line:  "wsusutil configuressl ur-fqdn.domain.com". 


              As for the certificate to load into Shavlik.  Ensure you are using a "Code Signing" certificate template when you generate the Enterprise CA certificate.  This one will be for your WSUS Trusted Publisher.  Export it with key to be used in the Shavlik plugin/addon.  Export a second time WITHOUT key as DER encoded CER file.  This one then gets put in your GPO to push to client computers and server machines "Trusted Publishers".  Without this clients won't be able to use the certificate for Software Update.  As a side bonus you can use this for signing PowerShell scripts also and clients will honor it since it is a Trusted Publisher.  You do NOT need to put this in the clients "Trusted Root Certification Authorities" as many articles say, since it is signed with your Root CA/Intermediate Signing CA and domain joined machines will Trust these CAs.  Once those are done, ensure SCCM server/WSUS/Admin workstation especially have the Trusted Certificate (gpupdate /force) and verify with "certutil -viewstore -grouppolicy TrustedPublisher".  Then just use Shavlik interface in SCCM to import the Trusted Publisher exported PFX with key.


              Good to go!

              1 of 1 people found this helpful
              • 4. Re: Unable to import CA-generated certificate
                eddiejc-dyson Rookie

                In addition to this, when updating the WSUS certificate in the Shavlik/Ivanti plugin in SCCM, make sure:


                1) You are logged onto the Windows Server with an account that has rights in SCCM;

                2) When you fire up SCCM console, run as administrator, not as another user.


                Being new to the organisation, I was logged into Windows with an admin account, but did not yet have SCCM rights, so the SCCM console was run as a separate admin account with rights in SCCM. That caused errors when testing the connection to WSUS & when changing the code signing certificate for WSUS, because UAC is overly restrictive.


                After a few days of 2 of us thinking our CA provided certificate was not right, having finally got my SCCM rights I was able to run as admin rather than as another admin user & it went through perfectly.


                Here's the link I finally stumbled upon that cleared the way forward: Shavlik Patch Cannot Connect to WSUS Server