WSUS no longer issues self-signed certificates


We've had some questions recently about why WSUS in Windows Server 2012 R2 no longer supports generating self-signed certificates for signing update packages. We disabled this feature because it was causing a significant management burden for those using the feature, and it duplicated functionality that already exists in Windows Server Certificate Services (and other products).

  • Distribution. After WSUS generates a certificate suitable for self-signing of packages, significant effort was required to export and install this self-signed certificate into all of the clients that needed to verify packages signed by it.
  • Expiration. When the self-signed certificate expires, WSUS offered no functionality to notify you that the signatures were no longer valid. This resulted in failed updates, and other hard to diagnose failures.
  • Certificate Updates/Revocation. If you wanted to update or revoke a certificate (i.e. after discovering that it expired), WSUS offered no functionality to enable this. Accomplishing this turned into a manual task that was very hard to either do by hand or automate successfully.

If you still want to distribute signed updates, you have several options:

  • Install Windows Server Certificate Services. This is an in-box feature of Windows Server 2003 and beyond, and is designed to address exactly these issues.
  • Create and Install your own certificate. Many tools exist to generate a self-signed certificate. After generating one, you can install it in your WSUS server and distribute it as you did before, using the SetSigningCertificate API. You’ll still need to take care of distribution and revocation yourself, but WSUS will monitor your custom certificate and let you know when it’s nearing expiration.

WSUS will still be able to sign packages using any registered signing certificates. If you already are using a self-signed certificate that WSUS generated, you can continue to use that certificate for as long as it meets your needs.

Please continue to read the "What's new in R2" blog series for more updates and discussions of new features in Windows Server 2012 R2!

Thanks,
The WSUS Team

Update: Workaround Details

While WSUS will not generate self-signed certificates by default, it is possible to restore the legacy behavior by setting the following registry key: 

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup\
  • Create DWORD value: EnableSelfSignedCertificates = 1

Please note that the CreateSelfSignedCertificate API is still considered deprecated and may be removed in a future version of Windows.


Comments (20)

  1. Ben Herila [MSFT] says:

    @Cato @David, thanks for the feedback. I have passed it along to the SCUP team.

  2. Ben Herila [MSFT] says:

    @Cato @David, the following link might help you resolve the issue you referred to in your comments. The SCUP team has a blog post for workarounds of this issue here: http://blogs.technet.com/b/configmgrteam/archive/2013/12/11/system-center-updates-publisher-2011-support-statement-update.aspx

  3. Ben Herila [MSFT] says:

    @Bob- If WSUS already has a self-signed certificate, that certificate will continue working. You’ll only need to use the workaround above if you want to create a *new* self-signed certificate using WSUS (which is not recommended)

  4. atom_acres says:

    this workaround worked for me. SCUP 2011 + server 2012 R2 + SCCM 2012 R2

  5. Md. Imran says:

    Great to get implement .

  6. Bob says:

    Is there a Hotfix for SCUP, because it is still wants a cert, but can't find the WSUS Cert?  or is the bottomline solution I have to create my own,

  7. Cato says:

    @Ben – As Bob mentioned here, with R2 WSUS not having a certificate, when using SCUP 2011 you get the message “The test connection succeeded. However, no signing certificate was detected for the update server. You will not be able to publish content to the update server without first registering a signing certificate.”

    At the moment, it seems that if we want to use SCUP 2011 in tandem with WSUS on 2012 R2 we need to go use the legacy feature of generating and associating a self signed certificate which the whole change was meant to remove.

    Will SCUP be released in a new flavour soon to support the new 2012 R2 feature of Certificate free updates on WSUS, or will a hot-fix be released, or is it something we have to live with?

  8. David Baur says:

    @Cato and MSFT, I too want the same thing Cato is stating.

  9. Anonymous says:

    Published on configuration manager team blog as well: http://blogs.technet.com/b/configmgrteam/archive

  10. IT Guy says:

    I have the following to be untrue, at least for me.

    @Bob- If WSUS already has a self-signed certificate, that certificate will continue working. You’ll only need to use the workaround above if you want to create a *new* self-signed certificate using WSUS (which is not recommended)

  11. Gordon Crooks says:

    For our product, we needed to add the following registry entry:

    HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftUpdate ServicesServerSetup

    Create DWORD value: EnableSelfSignedCertificates = 1

  12. Brent says:

    WSS cert store is missing on Server 2008.
    Ideas?

  13. Luciano Fette says:

    Hi Everybody i need your help.

    PublishItem: Exception occurred during publishing: CreateDirectory failed

  14. Anonymous says:

    ~ Subbulakshmi Kumar | Support Engineer
    System Center Updates Publisher (SCUP) is an independent tool

  15. schraepf says:

    Adding the DWORD as described in the workaround allowed us to successfully create the self signed certificate through SCUP 2011 with SCCM 2012 R2 and Server 2012 R2.

  16. dreno says:

    @atom.acres. How do you manage to make it work? We have our certificate installed on the Windows Server 2012 R2 but still SCUP 2011 isblind…

  17. Gamby35 says:

    Anyone seen adding the reg key not work? I have added the key to the location listed in the workaround, and the location mentioned by "Gordon Crooks" and it will still NOT create the self-signed cert. Server 2012 R2. Works perfectly in my lab environment
    on the same OS.

  18. RZimmermann says:

    Yes, same as Gamby35 here, added the reg key and the cert will not be created after hitting "create" button on server 2012r2.

  19. Jack says:

    Tried this hotfix but does not work, we have SCCM 2012 R2 + WSUS on server 2012 R2, and when used with SCUP 2011, it cannot use the Create button to generate certificate. Always says certificate not found on server.