Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Patch Manager > Use Patch Manager with a CA Signed Certificate

Use Patch Manager with a CA Signed Certificate

Table of contents
Created by Erica Gill, last modified by Randall Harwood on Jun 06, 2017

Views: 130 Votes: 2 Revisions: 10


This article provides steps to use a CA signed certificate with WSUS to allow Patch Manager's WSUS issued signing certificate is part of the CA hierarchy.


Patch Manager 1.85 or later


  1. Generate the CA signed certificate for use with WSUS in a pfx form containing the private key. (The CA signing process requires a csr be generated.)
  2. Copy the pfx file to the WSUS server.
  3. Log in with a local administrator which is a member of the WSUS administrators group to the Patch Manager server.
  4. Use the SolarWinds.Utilities.WSUS2012PlusCertManagement.exe utility, located in C:\Program Files\SolarWinds\Patch Manager\Server\ by default, to automatically provision the certificate.


This utility is intended for use on a WSUS server to add or remove a signing certificate.
/operation <createselfsigned | addpfx | deletecertificate | createandaddselfsigned>
/targetwsusname <FQDN or NetBIOS name of the wsus server>
/targetwsusport <portnumber> (NOTE: optional and defaults to 80 for non-SSL and 443 for SSL)
/targetwsususessl <yes | no> (NOTE: optional and defaults to no)
/pfxfile <fully qualified file name> (NOTE: only required when using addpfx. MUST BE USING SSL!)
/pfxfilepassword <password> (NOTE: only required when using addpfx or deletecertificate. MUST BE USING SSL!)


For example:

"C:\Program Files\SolarWinds\Patch Manager\Server\SolarWinds.Utilities.WSUS2012PlusCertManagement.exe" /operation addpfx /pfxfile c:\cert_folder\my_CA_Cert.pfx /pfxfilepassword Passw0rd /targetwsusname . /targetwsusport 8531 /targetwsususessl yes


*Note When adding a pfx file you must have SSL Turned on and be using the SSL port for Targetwsusport



This utility will place the signed certificate in correct certificate stores for Patch Manager to detect when the WSUS server is refreshed in the Patch Manager mmc console.


After the above it should be possible to deploy packages.



Note: This process requires the use of a pfx file containing the private key.




Last modified
13:02, 6 Jun 2017