Skip to main content

Configuring and signing certificates

The following procedure describes how to configure and sign certificates.

About this task

There are two methods for configuring and signing a certificate on client computers:

  • Using Group Policy and the Certificate Import Wizard: Perform the steps described in Adding certificates.
  • Using the certificate utility and software distribution: Perform the steps in the following procedure.

Procedure

  1. To open the Microsoft Management Console (MMC), click Start > Run, enter MMC in the text box, and then click OK.
  2. Click File, and select Add/Remove Snap-in.
    The Add/Remove Snap-in dialog box opens.
  3. Click Add, select Certificates, and then click Add.
    The Certificates Snap-in dialog box opens.
  4. Select Computer account, and then click Next.
    The Select Computer dialog box opens.
  5. Select one of the following server options:
    • Another: Enter the name of the update server or click Browse to locate the update server.
    • Local Computer: Use this option if the update server is on the same server.
  6. Click Finish to return to the Add Standalone Snap-in dialog box.
  7. Click Close to return to the Add/Remove Snap-in dialog box.
  8. Click OK.
  9. On the MMC console, expand Certificates (update server name), expand WSUS, and then select Certificates.
  10. In the results pane, right-click certificate, select All Tasks, and then select Export.
    To create an export certificate file with the name and location specified in the Certificate Export Wizard, use the default settings.
  11. Select one of the following methods to add the certificate used to sign the updates catalog for each client computer that will use Windows Update Agent to scan for the updates in the catalog:
    • For self-signed certificates: Add the certificate to the Trusted Root Certification Authorities and Trusted Publishers certificate folders.
    • For certification authority (CA) issued certificates: Add the certificate to the Trusted Publishers certificate folder.
    Note
    Windows Update Agent verifies whether the Group Policy setting is enabled on the local computer. The Group Policy setting must be enabled for the Windows Update Agent to scan for the updates that were created and published with Updates Publisher. For more information, see the Microsoft Windows Update Agent webpage.