Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.


Home > Success Center > Patch Manager > Use Patch Manager with a CA Signed Certificate

Use Patch Manager with a CA Signed Certificate

Table of contents
Created by Erica Gill, last modified by MindTouch on Jun 23, 2016

Views: 45 Votes: 2 Revisions: 9


This article provides steps to use a CA signed certificate with WSUS to allow Patch Manager's WSUS issued signing certificate is part of the CA hierarchy.


Patch Manager 1.85 or later


  1. Generate the CA signed certificate for use with WSUS in a pfx form containing the private key. (The CA signing process requires a csr be generated.)
  2. Copy the pfx file to the WSUS server.
  3. Log in with a local administrator which is a member of the WSUS administrators group to the Patch Manager server.
  4. Use the SolarWinds.Utilities.WSUS2012PlusCertManagement.exe utility, located in C:\Program Files\SolarWinds\Patch Manager\Server\ by default, to automatically provision the certificate.


This utility is intended for use on a WSUS server to add or remove a signing certificate.
/operation <createselfsigned | addpfx | deletecertificate | createandaddselfsigned>
/targetwsusname <FQDN or NetBIOS name of the wsus server>
/targetwsusport <portnumber> (NOTE: optional and defaults to 80 for non-SSL and 443 for SSL)
/targetwsususessl <yes | no> (NOTE: optional and defaults to no)
/pfxfile <fully qualified file name> (NOTE: only required when using addpfx. MUST BE USING SSL!)
/pfxfilepassword <password> (NOTE: only required when using addpfx or deletecertificate. MUST BE USING SSL!)


For example:

"C:\Program Files\SolarWinds\Patch Manager\Server\SolarWinds.Utilities.WSUS2012PlusCertManagement.exe" /operation addpfx /pfxfile c:\cert_folder\my_CA_Cert.pfx /pfxfilepassword Passw0rd /targetwsusname . /targetwsusport 8530 /targetwsususessl yes


*Note When adding a pfx file you must have SSL Turned on and be using the SSL port for Targetwsusport



This utility will place the signed certificate in correct certificate stores for Patch Manager to detect when the WSUS server is refreshed in the Patch Manager mmc console.


After the above it should be possible to deploy packages.



Note: This process requires the use of a pfx file containing the private key.




Last modified
01:21, 23 Jun 2016