I ran into an issue earlier this week while configuring System Center Updates Publisher 2011 to integrate with SCCM 2012 R2 on Windows Server 2012 R2.
I wasn’t aware of this change, but the self-signing of certificates in WSUS is no longer supported by default in Windows Server 2012. This is a big problem if you’re planning on using SCUP 2011 on Server 2012 R2 (without using a PKI)… a WSUS-generated, self-signed certificate is required during configuration (if you’re not using a PKI).
If you try to create a self-signed certificate in SCUP 2011 on Server 2012 R2, the issuer and expiration date will be blank, where it should generate a CN and timestamp.
Fortunately, there’s a simple workaround. WSUS certificate generation can be enabled on Server 2012 R2, even though it is a legacy feature that isn’t turned on by default. To enable it, open up your WSUS server’s registry, and go to HKEY_LOCAL_MACHINESoftwareMicrosoftUpdate ServicesServerSetup . Create a Key Value named EnableSelfSignedCertificates , and set it to 1. Restart the WSUS service (or the server). A more detailed explanation is available on this WSUS Team blog article. In short, self-signed certificate generation in WSUS is now a legacy setting that isn’t enabled by default.
You can now go back to your SCUP options and successfully generate a valid self-signed certificate, and proceed with normal SCUP configuration.
By the way, if you’re looking for a great guide on SCUP integration with SCCM, check out this TeachMeSCCM YouTube video: http://www.youtube.com/watch?v=fyEGWSFWyy0