WSUS Migration: Existing self-signed certificate becomes invalide

Topics: Configuration Issue
Feb 11, 2015 at 9:54 PM
Hello everyone,

after migrating (replication) the exisiting WSUS-Server (2003 R2) to a new server (2008 R2) WPP reports that the is any certificate.
The former certificate was succesfully imported to the new WSUS-Server (Trusted Root Certificates, Trusted Publishers and WSUS) and the WSUS service was restarted.

But WPP still asks for a new certificate. After creating a new certificate WPP starts without error but the 3-party-Updates can not imported/resigned.

So we used both certificates (old and new), imported the 3-party-updates and resigned them. After that we dropped the old certificate.

Is there any other options when migrating WSUS to a new machine?

Best regards
Server 2003 R2 Standard
WSUS 3.2.7600.274
WPP 1.3.1411.9

Server 2008 R2 Standard
WSUS 3.2.7600.251
WPP 1.3.1411.9
Feb 12, 2015 at 4:44 AM
In WSUS-FAQ No. 44 you will find needed Updates for your new WSUS:

WSUS 3.0 (SP2): Build 3.2.7600.226
WSUS 3.0 (SP2) + KB2720211: Build 3.2.7600.251
WSUS 3.0 (SP2) + KB2734608: Build 3.2.7600.256
WSUS 3.0 (SP2) + KB2828185: Build 3.2.7600.262
WSUS 3.0 (SP2) + KB2938066: Build 3.2.7600.274

Update your WSUS first, reboot after the last patch and try it again.
Feb 12, 2015 at 6:31 AM
Edited Feb 16, 2015 at 5:36 PM
Hello WinfriedSonntag,

thanks for Your quick reply!

Unfortunately the migration is done so we can not test Your suggestion. So I hope that someone else found this BEFORE migrating.

Best regards to the WPP-Team
Feb 14, 2015 at 7:42 PM
When you need to import a new certificate, it's not enought to put the certificate in the right cert stores. You have to use the option "Import a certificate" in WPP. If you don't use this option, Wsus will not use the cert.

If you use a self-signed cert, this cert is tight to the server and can not be use by another server.
Marked as answer by petapico on 2/16/2015 at 10:35 AM
Feb 16, 2015 at 5:35 PM
Edited Feb 16, 2015 at 5:36 PM
Hello DCourtel,

thanks for Your reply.

You are right because the certificate is self-signed. Ok, I keep that in my mind when migrating WSUS again.

Best regards to the WPP-Team