Using Patch for MEM and WSUS to Create a Code Signing Certificate

Your user account must be a member of the WSUS Administrators group in order to create a code signing certificate through the Patch for MEM interface.

Using the Patch for MEM interface, you can instruct WSUS to create a self-signed code signing certificate for your enterprise. Creating a code signing certificate is enabled by default on WSUS prior to Windows Server 2012 R2.

Important! If you are using WSUS on Windows Server 2012 R2, the ability to create self-signed code signing certificates has been deprecated and is disabled by default. You can, however, restore this capability by using the workaround described in this article:

If you choose to create a code signing certificate in Patch for MEM using a Software Update Point (WSUS server) on Windows Server 2012 R2 or later, this workaround will be applied automatically.

To create a self-signed code signing certificate using WSUS:

1.Within the Configuration Manager Software Library workspace, expand the Software Updates > Ivanti Patch folder and click on Updates.

2.On the Configuration Manager Home tab, click Settings.

3.On the Patch for MEMSettings dialog, select the WSUS Server tab.

Verify that the Use Secure Sockets Layer (SSL) to connect to this server check box is enabled. A secure connection to the WSUS server is typically required when creating a self-signed certificate.

4.Click Create a self-signed certificate.

If a certificate already exists a Warning dialog is displayed.

Do not proceed unless you are certain you need a different certificate. The warning message explains what you will need to do if you are replacing or deleting an existing certificate.

If you click OK, a second Warning dialog is displayed.

5.Read the information and then click OK.

The dialog shows the requirements that must be met before using the certificate.

The new certificate is created on the WSUS server and is registered with WSUS. Details of the certificate are displayed in the Current Certificate area. For example:

If you are running Configuration Manager with Run as Administrator privileges, the certificate is also automatically installed for you in the following certificate stores on the local Configuration Manager console:

Trusted Root Certification Authorities

Trusted Publishers

If the automatic installation fails you will have to manually distribute the certificate to the stores.