Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Patch Manager > Push a publishing certificate to downstream WSUS servers

Push a publishing certificate to downstream WSUS servers


This article describes how to push a publishing certificate to your downstream WSUS servers.

The Patch Manager console includes a Server Publishing Setup Wizard to provision publishing servers with certificates for local publishing. Connectivity or security requirements can make this wizard impractical or even impossible for use. If this situation occurs, perform the following steps:

  1. Export the WSUS publishing certificate to the upstream WSUS server.
  2. Import the certificate to the Trusted Root Certification Authorities and Trusted Publishers stores on the domain controller.


All Patch Manager versions


  1. Export the WSUS certificate from the upstream server. 
  2. Import the certificate to the appropriate stores in the downstream publishing server(s). 

Export the WSUS Certificate to the upstream server

To provision downstream publishing servers with a WSUS certificate, export the certificate from the upstream WSUS server.

  1. Log in to Patch Manager as an administrator. 
  2. In the navigation pane, expand Enterprise and select Update Services.
  3. In the center pane, select the WSUS server that contains the certificate you want to export.
  4. In the Actions pane, click Software Publishing Certificate.
    If the Publishing Certificate Information dialog box does not display the certificate details:
    1. Click Close.
    2. Click Refresh Update Server in the Actions pane.
    3. Re-open the Software Publishing Certificate dialog.
  5. Click ....
  6. Click the Details tab.
  7. Click Copy to File, and then click Next.
  8. Leave DER encoded binary X.509 (.CER) selected, and  click Next.
  9. Specify a name and location in the File name field, and  click Next.
  10. Click Finish.
  11. Click OK.

Import the WSUS certificate to the certificate stores

After you export the certificate to a file, import the file to the Trusted Root Certification Authorities and Trusted Publishers stores. 

  1. Open Group Policy Management on a Windows Server domain controller.
  2. Create a new Group Policy Object for the certificate at the domain level.
    1. Select the targeted domain.
    2. Click Action > Create a GPO in this domain, and Link it here.
    3. Enter a name for the GPO.
      For example, enter Publishing Server Configuration Policy.
    4. Click OK.
  3. Select the new object, and then click Action > Edit.
  4. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  5. Import the WSUS publishing certificate to the Trusted Root Certification Authorities and Trusted Publishers stores.
    1. Under Public Key Policies, select Trusted Root Certification Authorities.
    2. Click Action > Import.
    3. Click Next.
    4. Click Browse, and then browse to the certificate you saved in the previous procedure.
    5. Click Next.
    6. Click Next again.
    7. Click Finish.
    8. On the success dialog, click OK.
    9. Repeat these steps for the Trusted Publishers certificate store.
  6. If you plan to install 3rd-party updates on the server, perform the following steps. Otherwise, go to step 7.
    1. Expand Computer Configuration > Administrative Templates > Windows Components, and then select Windows Update.
    2. In the center pane, select Allow signed updates from an intranet Microsoft update service location.
    3. Click Action > Edit.
    4. Select Enabled.
    5. Click OK.
  7. Manually enforce the Group Policy Object.


Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.

Last modified
12:35, 13 Oct 2017