Using Patch for MEM and WSUS to Create a Code Signing Certificate
Your user account must be a member of the WSUS Administrators group in order to create a code signing certificate through the Patch for MEM interface.
Using the Patch for MEM interface, you can instruct WSUS to create a self-signed code signing certificate for your enterprise. Creating a code signing certificate is enabled by default on WSUS prior to Windows Server 2012 R2.
Important! If you
are using WSUS on Windows Server 2012 R2, the ability to create self-signed
code signing certificates has been deprecated and is disabled by default.
You can, however, restore this capability by using the workaround described
in this article:
If you choose to create a code signing certificate in Patch for MEM using a Software Update Point (WSUS server) on Windows Server 2012 R2 or later, this workaround will be applied automatically.
To create a self-signed code signing certificate using WSUS:
1.Within the Configuration Manager Software Library workspace, expand the Software Updates > Ivanti Patch folder and click on Updates.
2.On the Configuration Manager Home tab, click Settings.
3.On the Patch for MEMSettings dialog, select the WSUS Server tab.
Verify that the Use Secure Sockets Layer (SSL) to connect to this server check box is enabled. A secure connection to the WSUS server is typically required when creating a self-signed certificate.
4.Click Create a self-signed certificate.
If a certificate already exists a Warning dialog is displayed.
Do not proceed unless you are certain you need a different certificate. The warning message explains what you will need to do if you are replacing or deleting an existing certificate.
If you click OK, a second Warning dialog is displayed.
5.Read the information and then click OK.
The dialog shows the requirements that must be met before using the certificate.
The new certificate is created on the WSUS server and is registered
with WSUS. Details of the certificate are displayed in the Current
If you are running Configuration Manager with Run as Administrator privileges, the certificate is also automatically installed for you in the following certificate stores on the local Configuration Manager console:
•Trusted Root Certification Authorities
If the automatic installation fails you will have to manually distribute the certificate to the stores.