I ran into an issue earlier this week while configuring System Center Updates Publisher 2011 to integrate with SCCM 2012 R2 on Windows Server 2012 R2.
I wasn’t aware of this change, but the self-signing of certificates in WSUS is no longer supported by default in Windows Server 2012. This is a big problem if you’re planning on using SCUP 2011 on Server 2012 R2 (without using a PKI)… a WSUS-generated, self-signed certificate is required during configuration (if you’re not using a PKI).
If you try to create a self-signed certificate in SCUP 2011 on Server 2012 R2, the issuer and expiration date will be blank, where it should generate a CN and timestamp.
Fortunately, there’s a simple workaround. WSUS certificate generation can be enabled on Server 2012 R2, even though it is a legacy feature that isn’t turned on by default. To enable it, open up your WSUS server’s registry, and go to HKEY_LOCAL_MACHINESoftwareMicrosoftUpdate ServicesServerSetup . Create a Key Value named EnableSelfSignedCertificates , and set it to 1. Restart the WSUS service (or the server). A more detailed explanation is available on this WSUS Team blog article. In short, self-signed certificate generation in WSUS is now a legacy setting that isn’t enabled by default.
You can now go back to your SCUP options and successfully generate a valid self-signed certificate, and proceed with normal SCUP configuration.
By the way, if you’re looking for a great guide on SCUP integration with SCCM, check out this TeachMeSCCM YouTube video: http://www.youtube.com/watch?v=fyEGWSFWyy0
Hi,
W2012R2; SCCM2012R2;WSUS6.3 and SCUP 2011.
I am stuck at the create certificate stage! it just repeats the Successful connection but no certificate was found message and suggests me to create one.(?)
I am pulling my hair out, please help!
Did you run System Center Update Publisher as Administrator? Give that a shot.
Hi Josh,
Thanks for swift reply. Funny enough, right click does not give me option to RUN AS.
Not even in the METRO view not in the Browser view.
However I have logged onto the machine as local admin and as Domain Admin, made no difference. I have changed the registry according to blogs and suggestions due to legacy feature in W2012R2 WSUS, no success.
Since changing modifying registry settings, have you restarted the WSUS service? Or the server itself?
Yes.
It did actually let me run as admin, I was wrong. but it did not make difference.
When SCCM is configured, WSUS does not need configuring I believe, all updates are working fine across the network, so publishing is working from WSUS to SCCM. There is a certificate for SMS (SCCM) but not sure if I can use that for SCUP instead of WSUS. WSUS certificate folder does not exist even after enabling the certificate server.