Submit a ticketCall us

WebinarUpcoming Webinar: Know What’s Changed – with NEW Server Configuration Monitor

Change management in IT is critical. But, even with a good change management process, changes are too often not correctly tracked, if at all. The configuration of your servers and applications is a key factor in their performance, availability, and security. Many incidents can be tracked back to an authorized (and sometimes unauthorized) configuration change, whether to a system file, configuration file, or Windows® Registry entry. Join SolarWinds VP of product management Brandon Shopp to discover how the new SolarWinds® Server Configuration Monitor is designed to help you.

Register now.

Home > Success Center > Patch Manager > Patch Manager - Knowledgebase Articles > Use Patch Manager with a CA-signed certificate

Use Patch Manager with a CA-signed certificate

Table of contents


This article describes how to use Patch Manager with a Certificate Authority (CA) signed certificate.


Patch Manager 1.85 or later


  1. Get a Web server SSL cert for WSUS, install and configure on IIS. You can go for external CA vendor or use local Enterprise CA.
  2. Request for a Code Signing cert from an external CA authority (such as Verisign) or use your local Enterprise CA and save the certificate in PKCS#12 (PFX) format containing the private key. This process requires a Code Signing Certificate Signing Request (CSR) to be submitted to the appropriate CA's.
    More info on how to create a Code Signing Certificate Signing Request (CSR) Generation Instructions via MMC certificate snap-in using Microsoft Windows . (© 2017 Symantec Corporation, available at, obtained on December 28, 2017).
  3. Copy the PFX file to the WSUS server or another server used to sign the package.

    See Importing an SPC into a Certificate Store for details. (© 2017 Microsoft Corporation, available at, obtained on December 28, 2017).

  4. Log in to the Patch Manager server with an account that is part of the WSUS Administrators group.
  5. Navigate to:

    C:\Program Files\SolarWinds\Patch Manager\Server

  6. In the command line, execute:

    SolarWinds.Utilities.WSUS2012PlusCertManagement.exe /operation addpfx /pfxfile c:\cert_folder\my_CA_Cert.pfx /pfxfilepassword Passw0rd /targetwsusname . /targetwsusport 8531 /targetwsususessl yes

    The signed certificate is placed in the correct certificate stores for Patch Manager to detect when the WSUS server is refreshed in the Patch Manager mmc console.


This utility is available from PM server and is intended to add or remove a signing certificate(s) on WSUS servers. This utility will place the signed certificate in correct certificate stores(Trusted Root and Trusted Publisher) for Patch Manager to detect when the WSUS server is refreshed in the Patch Manager mmc console. 


Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.



Last modified