New WSUS CodeSigning Certificate

zuerom · October 30, 2023, 09:50:19 AM

Hi PatchMyPC Community,

our WSUS Certificate (Issued from our CA) need to be replaced soon.
the current Certificate is also used in PatchMyPC Publisher, and is Deployed to the Systems by GPO.

What do we have to do on side of PatchMyPC once the new Certificate is available?
do we have to import the cert in PatchMyPC or will it be discovered somehow?
does PatchMyPC resign all the package whith the new Cert once it is installed?
is there a possibility of a coexistence while replacing and resigning the certificate?

Regards
zuerom

Hugo Marinho (Patch My PC) · October 31, 2023, 04:01:31 AM

Hi there Zuerom,

If you have a new certificate, you will need to import pfx certificate into the publisher so any newly published updates get signed with that new certificate, you can do so from the "General" tab and then by clicking the button "Import PFX certificate".

If you plan to keep the old certificate on your devices as well as the new one, you won't need to republish anything, however, if you are removing the old cert, you will need to republish all of your updates so they get signed with the new certificate and won't fail on install.

Hope to have helped, have a rest of a great day ahead!

zuerom · October 31, 2023, 08:04:12 AM

Hi Hugo,
Thank you very much for your reply.
We want to remove the old certificate from the clients once everything is ok, and the old cert is expired. the Republish... can i do it for all Updates by right click on All Products and select Republish during...?
This will only republish the selected updates, correct? does it have any impact on the clients?
(Will it be reinstalled on the systems?)

If we would let the old cert on the clients, what happen if the cert expires? will they still be able to install the existing (not newer ones, after the new cert is imported) updates if we don't republish these Updates?

regards
zuerom

Hugo Marinho (Patch My PC) · November 01, 2023, 04:17:17 AM

"can i do it for all Updates by right click on All Products and select Republish during...?"
Yes, that would be the correct procedure here.

"This will only republish the selected updates, correct?"
Correct, only the selected updates, it will not publish any others you have not selected.

"does it have any impact on the clients?(Will it be reinstalled on the systems?)"
I assuming you are asking if you republish an update, will it be reinstalled on a client device? If so, then no.

"If we would let the old cert on the clients, what happen if the cert expires? will they still be able to install the existing (not newer ones, after the new cert is imported) updates if we don't republish these Updates?"
If the certificate expires, but remains on the device, any updates signed by that certificate will still be trusted and installed provided it is timestamped.

PS_Alex · November 09, 2023, 09:13:10 AM

Hey Hugo!

As a best practice, what would be your recommendation about certificates management? Should we remove old (expired) certificates from devices, and republish all software updates signed with the new certificate? Or would you recommend to keep both certificates (new and old) on devices, and leave already-published updates as-is?

While both options do work, I was wondering if Patch My PC has insights and best-practice recommendations.

Thanks!

zuerom · November 10, 2023, 04:38:53 AM

Thanks Hugo,

we will do it soon and will come back here with a Feedback.

PS_Alex, I would recommend getting rid of the old Certificate to keep the clients and Systems clean. otherwise, you will never know if you can remove the old certificate.

regards
zuerom

PS_Alex · November 10, 2023, 05:07:25 PM

Makes sense! Thanks for your input!

New WSUS CodeSigning Certificate

zuerom

Hugo Marinho (Patch My PC)

zuerom

Hugo Marinho (Patch My PC)

PS_Alex

zuerom

PS_Alex