Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Patch Manager > Patch Manager - Knowledgebase Articles > Push a publishing certificate to downstream WSUS servers

Push a publishing certificate to downstream WSUS servers


This article describes how to push a publishing certificate to your downstream WSUS servers.

The Patch Manager console includes a Server Publishing Setup Wizard to provision publishing servers with certificates for local publishing. Connectivity or security requirements can make this wizard impractical or even impossible for use. If this situation occurs, perform the following steps:

  1. Export the WSUS publishing certificate to the upstream WSUS server.
  2. Import the certificate to the Trusted Root Certification Authorities and Trusted Publishers stores on the domain controller.


All Patch Manager versions


  1. Export the WSUS certificate from the upstream server. If there is no certificate found on the WSUS server, or if the certificate is expired, follow these steps to create the WSUS certificate. If the Server Publishing Wizard fails to create the certificate follow these alternate steps to create the WSUS certificate manually. If the WSUS is using a trusted CA for the WSUS certificate follow these steps to create the certificate using the trusted CA.
  2. Import the certificate to the appropriate stores in the downstream publishing server(s). 

Export the WSUS Certificate to the upstream server

To provision downstream publishing servers with a WSUS certificate, export the certificate from the upstream WSUS server.

  1. Log in to Patch Manager as an administrator. 
  2. In the navigation pane, expand Enterprise and select Update Services.
  3. In the center pane, select the WSUS server that contains the certificate you want to export.
  4. In the Actions pane, click Software Publishing Certificate.
    If the Publishing Certificate Information dialog box does not display the certificate details:
    1. Click Close.
    2. Click Refresh Update Server in the Actions pane.
    3. Re-open the Software Publishing Certificate dialog.
  5. Click ....
  6. Click the Details tab.
  7. Click Copy to File, and then click Next.
  8. Leave DER encoded binary X.509 (.CER) selected, and  click Next.
  9. Specify a name and location in the File name field, and  click Next.
  10. Click Finish.
  11. Click OK.

Import the WSUS certificate to the certificate stores

After you export the certificate to a file, import the file to the Trusted Root Certification Authorities and Trusted Publishers stores. 

  1. Open Group Policy Management on a Windows Server domain controller.
  2. Create a new Group Policy Object for the certificate at the domain level.
    1. Select the targeted domain.
    2. Click Action > Create a GPO in this domain, and Link it here.
    3. Enter a name for the GPO.
      For example, enter Publishing Server Configuration Policy.
    4. Click OK.
  3. Select the new object, and then click Action > Edit.
  4. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  5. Import the WSUS publishing certificate to the Trusted Root Certification Authorities and Trusted Publishers stores.
    1. Under Public Key Policies, select Trusted Root Certification Authorities.
    2. Click Action > Import.
    3. Click Next.
    4. Click Browse, and then browse to the certificate you saved in the previous procedure.
    5. Click Next.
    6. Click Next again.
    7. Click Finish.
    8. On the success dialog, click OK.
    9. Repeat these steps for the Trusted Publishers certificate store.
  6. If you plan to install 3rd-party updates on the server, perform the following steps. Otherwise, go to step 7.
    1. Expand Computer Configuration > Administrative Templates > Windows Components, and then select Windows Update.
    2. In the center pane, select Allow signed updates from an intranet Microsoft update service location.
    3. Click Action > Edit.
    4. Select Enabled.
    5. Click OK.
  7. Manually enforce the Group Policy Object.


This can also be done via the registry in environments where a GPO is not in use. The policy needs to be accepted in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ AcceptTrustedPublisher REG_DWORD should be set to 0x00000001 (1). The certificates should show up in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\ and HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates\.


Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.

Last modified