Certificate Overview

A code signing certificate is required when using Patch for Configuration Manager with Configuration Manager and WSUS to publish third-party updates. In general, you must:

  1. Create a code signing certificate.
    You can do this using either an internal Certificate Authority (CA) or your WSUS server.
  2. (Conditional) If you use an internal CA to create the code signing certificate, you must import the certificate into WSUS, which you can do using Patch for Configuration Manager.
    If you use WSUS to create the code signing certificate, the certificate will be automatically imported into WSUS.
  3. Export the certificate.
  4. Distribute the code signing certificate to the appropriate certificate stores on all your WSUS servers, your remote Configuration Manager consoles and to your client machines.
    • Trusted Publishers certificate store
    • Trusted Root Certificate Authorities certificate store

This section provides details on how to accomplish each of these tasks.

For information on establishing a trust relationship to support third-party patching, see Setting Up the Trust Relationship on the Microsoft web site (opens in a new window).

Alternate Creation and Distribution Method if You are Using Configuration Manager 1806 or Later

You can have Configuration Manager create the signing certificate and distribute it to your client machines.

  1. Within your Software Update Point, on the Third Party Updates tab, enable the Configuration Manager manages the certificate option.
  2. In your Client Settings, on the Software Updates tab, specify Yes for the Enable third party software updates option.
  3. Run a synchronization of your software update point.
    If a certificate is not detected, one is automatically generated for you and distributed to your client machines.

For more information, see the Microsoft documentation site (opens in a new window).