WSUS no longer issues self-signed certificates

We've had some questions recently about why WSUS in Windows Server 2012 R2 no longer supports generating self-signed certificates for signing update packages. We disabled this feature because it was causing a significant management burden for those using the feature, and it duplicated functionality that already exists in Windows Server Certificate Services (and other products).

  • Distribution. After WSUS generates a certificate suitable for self-signing of packages, significant effort was required to export and install this self-signed certificate into all of the clients that needed to verify packages signed by it.
  • Expiration. When the self-signed certificate expires, WSUS offered no functionality to notify you that the signatures were no longer valid. This resulted in failed updates, and other hard to diagnose failures.
  • Certificate Updates/Revocation. If you wanted to update or revoke a certificate (i.e. after discovering that it expired), WSUS offered no functionality to enable this. Accomplishing this turned into a manual task that was very hard to either do by hand or automate successfully.

If you still want to distribute signed updates, you have several options:

  • Install Windows Server Certificate Services. This is an in-box feature of Windows Server 2003 and beyond, and is designed to address exactly these issues.
  • Create and Install your own certificate. Many tools exist to generate a self-signed certificate. After generating one, you can install it in your WSUS server and distribute it as you did before, using the SetSigningCertificate API. You’ll still need to take care of distribution and revocation yourself, but WSUS will monitor your custom certificate and let you know when it’s nearing expiration.

WSUS will still be able to sign packages using any registered signing certificates. If you already are using a self-signed certificate that WSUS generated, you can continue to use that certificate for as long as it meets your needs.

Please continue to read the "What's new in R2" blog series for more updates and discussions of new features in Windows Server 2012 R2!

The WSUS Team

Update: Workaround Details

While WSUS will not generate self-signed certificates by default, it is possible to restore the legacy behavior by setting the following registry key: 

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup\
  • Create DWORD value: EnableSelfSignedCertificates = 1

Please note that the CreateSelfSignedCertificate API is still considered deprecated and may be removed in a future version of Windows.