Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Patch Manager > Regenerate all Patch Manager publishing certificates after applying a WSUS update

Regenerate all Patch Manager publishing certificates after applying a WSUS update

Table of contents
No headers

Updated March 11th, 2016


The recent Microsoft patch for WSUS ( An update for Windows Server Update Services 3.0 Service Pack 2 is available KB2734608) (© 2017 Microsoft, available at, obtained on May 11, 2017.) updated WSUS to generate 2048-bit publishing certificates instead of the previously non-secure 512-bit certificates. Microsoft released this patch to prepare WSUS for a forthcoming Microsoft update that will block all RSA-based certificates that have a key length of 1024 bits or less.


To ensure the most seamless transition possible in your publishing environment, SolarWinds recommends you regenerate all of your WSUS publishing certificates after you apply KB2734608. Due to the relationship these certificates have with your previously-published packages and all of your client systems, the general procedure for this process is:

  1. Generate the new publishing certificate(s).
  2. Re-provision all systems with the new certificate. This includes both Patch Manager and WSUS servers/consoles, along with all managed clients.


Note: For additional details about these procedures, see "Configuring Publishing Servers" in the Patch Manager Administrator Guide. However, it is important that you do not simply distribute the existing WSUS signing certificate to your publishing servers. Rather, generate a new publishing certificate as described in the following procedure.


To generate new publishing certificates in your Patch Manager publishing environment:

  1. In the left pane of the Patch Manager console, expand Administration and Reporting, and then select Software Publishing.
  2. In the Actions pane (right), click Server Publishing Setup Wizard.
  3. In the WSUS Server menu, select the WSUS server.
  4. Select Create self-signed certificate, and then click Next.
  5. If the wizard returns a Confirm dialog, click Yes to continue. This dialog states that you will have to re-publish any existing packages and re-provision your client systems after generating a new certificate on a WSUS server that already has one provision. Step 2 in the general procedure at the top of this article addresses this issue.
  6. Select the Patch Manager servers, publishing servers, and downstream servers to which you want to distribute the publishing certificate, and then click Next.
  7. Review the summary screen for any errors, and then click Finish.
  8. On the dialog that instructs you to configure your managed clients, click OK. Step 2 in the general procedure at the top of this article addresses this step.
Last modified