Share via

Renewal of Expiring WSUS Certificate

Scott B 46 Reputation points
2025-01-10T18:45:20.47+00:00

Hello. Hoping you can help as I have run into an issue with renewing my SSL cert for WSUS. I renewed the SSL cert from WSUS by requesting a renewal from my local domain controller which is the certificate authority. That all went great and I now see a new date on that certificate. My worry is that I cannot export it as a PFX to import into group policy as its only allowing my to export to CER format. When I go into the properties for the renewed cert, it does show that the private key is on the machine, but still, it will not allow me to export to PFX. Was I supposed to renew if from the certificate authority instead of the WSUS machine directly in IIS? Essentially I am looking for the best practice steps for renewing a working and in place WSUS cert that is trusted and deployed on the domain. 

Thanks for your time and any help you can provide.

Windows for business Windows Server User experience Other
0 comments
Accepted answer
  1. Hebert Seven 301 Reputation points
    2025-01-11T16:49:33.5566667+00:00

    Hi Scott! I hope you are doing well.

    From your description, the private key associated with the renewed certificate is not marked as exportable, preventing you from creating a PFX file (which includes both the certificate and the private key). This often happens when the certificate is renewed directly on the server using the private key but without selecting the option to make it exportable.

    Additionally, the way the certificate is renewed (directly in IIS or via the Certification Authority - CA) can influence how the private key is handled.

    Best Practices for Renewing WSUS Certificates:

    1. Renew Through the Certification Authority (CA): The best practice for renewing the WSUS certificate is to start the process directly with the Certification Authority (CA). This gives you better control over certificate properties, such as private key exportability. Steps:
      • On the CA server, request a new certificate or renew the existing one.
      • Ensure you select the option to allow private key exportability when configuring the certificate template or request.
      • Once issued, export the certificate as a PFX (with the private key) for the WSUS server.
    2. Validation and Configuration on WSUS:
      • Import the renewed certificate into WSUS (either in IIS or directly in the WSUS console).
      • Configure WSUS to use the new certificate for SSL communication.
    3. Deployment via Group Policy (GPO):
      • Export the certificate as a PFX (if the private key is exportable).
      • Import the PFX into the Trusted Certification Authorities and Trusted Computers stores in your GPO.
      • Ensure the new certificate is properly distributed to all domain-joined machines.

    How to Resolve the Current Issue:

    Since the renewed certificate is tied to a private key but cannot be exported as a PFX, you have a few options:

    Option 1: Renew Properly Through the CA

    1. Request the certificate renewal directly from the CA, ensuring the private key exportability option is selected.
    2. Remove the incorrectly renewed certificate and import the new one into WSUS.

    Option 2: Work with the Existing Certificate

    • Although the private key is currently not exportable, check if there is any policy or configuration that restricted this option during the renewal process.
    • Use the certutil tool to inspect and potentially adjust certificate properties (although forcing private key export is generally not recommended).

    Option 3: Recreate a New WSUS Certificate

    • If the above steps are not feasible, consider creating a new certificate from scratch in the CA, ensuring the private key is exportable, and reconfiguring WSUS with it.
    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.