This project has moved and is read-only. For the latest updates, please go here.

[Solved] Loading Certificate into WSUS under Windows 2012 R2

Topics: Configuration Issue
Nov 5, 2013 at 4:54 PM
I am not sure what the problem is, but the WSUS Package Publisher will not allow me to load my openssl generated certificate in the certificate store. It keeps telling me "Failed to load the certificate. Check the file.) This certificate has been used in previous WSUS installations, so I am not sure why I can't load it.

I have tried loading the necessary certificates under "Trusted Root Certificate Authority", "Trusted Publishers" and "WSUS". However, when I start WSUS it says "You don't have any certifcat. You will not be able to publish updates."

What am I doing wrong here? (I can email the certificates that I have been using if you want.)
Nov 5, 2013 at 7:21 PM
FYI - Here are the openSSL commands I used a while back to generate this certificate:

<-- Cert Authority -->
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt

<--Publishing Cert -->
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
Nov 5, 2013 at 10:14 PM
Can you :
  • Start WPP
  • try to load the certificate.
  • Once the error message is displayed, go to Help -> 'Send debug info'
  • Click on the link 'Show informations'
  • Send me the text file to package@publisher@free.fr
Thanks.
Nov 5, 2013 at 10:54 PM
The requested information has been sent.
Nov 6, 2013 at 7:44 PM
Thanks.
Just few questions :
  • You are running WPP locally on the Wsus server ?
  • Wsus is installed on Windows Server 2012 (not R2) ?
Nov 6, 2013 at 8:57 PM
  • WPP is running locally on the WSUS server, connected as a "local" server.
  • WSUS is running on Windows Server 2012 R2. (OS Ver. 6.3.9600)
Nov 7, 2013 at 7:55 PM
I have sent you by mail a new version of WPP. In Tools -> settings -> Server Tab, check the option "Ignore Certificate Validation Errors". Restart WPP and load again the Certificate.

Let me know if that works or not.
Marked as answer by DCourtel on 5/8/2014 at 2:32 AM
Nov 8, 2013 at 3:51 PM
Edited Nov 8, 2013 at 3:54 PM
Unfortunately, I did not receive an email from you with any attachments. I checked my spam filter, and I did see anything either.

Can you send it? or can I get it from you using an alternate method?
Nov 8, 2013 at 5:58 PM
I have sent it the 6 Nov. @ 21h15 (France)
I have sent it again.
Nov 8, 2013 at 6:41 PM
This new version works! Thanks for working so hard on it.
Nov 16, 2013 at 12:26 PM
Edited Nov 16, 2013 at 12:27 PM
I have the same problem as DDSkier.
Can we get this version also?

The debug info is on the way to you (email).
Nov 16, 2013 at 4:41 PM
I installed the new version. But i can't load a certificate from our CA. The button in WPP isn't active.
I used Windows Server 2012R2, 64Bit.
Nov 16, 2013 at 4:49 PM
The button is gray out until you enter the password of the cert file.
Nov 16, 2013 at 5:01 PM
Hmpf... Thank you! That i dont' tested.
Now it work's. :-)
Apr 27, 2014 at 7:10 PM
Edited Apr 27, 2014 at 10:25 PM
I have also get the same message "Failed to load the certificate. Check the file." when problem importing a selfsigned OpenSSL generated Cert from an internal RootCa. OS is Windows Server 2012 R2 with the WSUS role installed together with WPP. I was checking all cert connected and it looks ok. The screenshot shows WPPs own created cert and the other one that cant be loaded.

Image
Apr 27, 2014 at 9:53 PM
Please, go to 'Tools' -> 'Settings' and check the checkbox 'Ignore Code-Signing Certificate validation errors' on the 'Servers' Tab.
Apr 27, 2014 at 10:51 PM
Edited Apr 27, 2014 at 11:15 PM
The setting did not stick for the first time and the cert load worked after the 3rd try, then all was fine. Is there a way to check what cert WPP/WSUS are using at the moment? I found one in the \wsus tree in the cert mmc. Thanks for your help.