Schedule Demo

Catalog Release History

We help you save time, money and improve your IT security

Setup Documentation
Release Notes

How to Create a PKI Based WSUS Signing Certificate Using (AD CS)

You can create a PKI-based WSUS signing certificate from a local PKI such as Active Directory Certificate Services (AD CS) or even use a public certificate authority such as DigiCert for code-signing certificate. Using a PKI based code-signing certificate can be an alternative to using a self-signed certificate.

Topics covered in this article:

Step 1: Create the WSUS Code Signing Template via Certificate Authority in AD CS

The first step to creating a PKI-based code-signing certificate is to create the template in the Certification Authority. Perform the following actions:

Open the Certification Authority application

Right-click Certificate Templates and click Manage

Manage Certificate Templates AD CS WSUS Code-Signing

Right-click the default Code Signing template and click Duplicate Template

Duplicate Code Signing Template

On the Compatibility tab, ensure the following settings are applied:

Certificate Authority = Windows Server 2003
Certificate recipient = Windows XP / Server 2003

Note: We have tested templates successfully in internal labs using higher-level Certificate Authority and Certificate recipient levels, but Microsoft documents in this Microsoft blog to use Windows Server 2003. We aren’t aware if there are any niche cases where a newer compatibility level could cause issues.

On the General tab, give a descriptive Template display name and Template name and optionally the Validity period

PKI Based WSUS Signing Certificate General Tab

In the Request Handling tab, you need to check the box Allow private key to be exportable

Allow the private key to be exported

More InformationNote: The private key needs to be exportable because an exported PFX certificate file needs to import it using a WSUS API.

In the Cryptography tab, ensure the Minimum key size is 2048

Minimum key size

In the Subject Name tab, change the radio box to Supply in the request. This will allow us to use a custom subject name such as “WSUS Code-Signing” rather than the requester’s user principal name.

WSUS Certificate Supply subject name in the request

Within the Security tab, click Add and configure a user or group that can Read and Enroll this certificate template.

WSUS Template Security Tab AD CS

Step 2: Issue the Certificate Template

Now that the certificate template is created, we need to issue it for enrollment.

Right-click the Certificate Templates node > New > Certificate Template to Issue

Certificate Template to Issue WSUS Cert

Select the template you created in Step 1 for your WSUS code-signing certificate and click OK

Enable Certificate Templates

Step 3: Request the WSUS Signing Certificate Template

On a device in the same domain, open the Manage user certificates application (certmgr.msc)

Right-click Personal > All Tasks > Request New Certificate…

Request New Certificate...

In the Select Certificate Enrollment Policy, select Active Directory Enrollment Policy, and click Next

In the Request Certificate, click the More information is required to enroll this certificate on the certificate templatee issued in Step 2.

In the Subject tab, add a descriptive Common name and click Add >

Subject name add Common name

In the General tab, we recommend adding a descriptive Friendly name and Description.

General tab add friendly name and description

Click OK, then select the template in the Request Certificates dialog and click Enroll

Click the Finish button on the Certificate Installation Results Succeeded

Step 4: Export the WSUS Signing Certificate to a PFX File with Password 

Next, you need to export the certificate so it can be imported into WSUS

Export the WSUS Signing Certificate

On the Export Private Key, you must choose Yes, export the private key

Yes, export the private key

Leave the default options on the Export File Format and click Next

In the Security dialog, define a Password and click Next

security add PFX password

Step 5: Import the PFX to WSUS Using the Patch My PC Publisher

Next, you need to Import the PFX file using the Patch My PC Publisher

In the General Tab, click the Import PFX Certificate

Import PFX into WSUS using Publisher

Enter the Certificate password used in the export step and click Ok

certificate password for WSUS on Import

Click OK on the Certificate Imported Successfully dialog

Optionally, you can click the Show Certificate in the General tab

Show WSUS certificate

Create PKI-Based WSUS Code-Signing Certificate (Video Guide)

You can also review the video guide for creating a PKI-based certificate below:

Helpful Resources

You can find some additional resources below that may be helpful: