I failed to update the certificate of a WSUS sever before it expired 😦
Here’s what error message I got when I tried to use the cmdlet: Get-WsusServer : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Here’s what I did to replace my expired certificate by a valid one:
# Create a self signed certificate $SelfSignedHT = @{ DnsName = "$($env:COMPUTERNAME).myfqdn".ToLower() CertStoreLocation = "Cert:\LocalMachine\My" } New-SelfSignedCertificate @SelfSignedHT # Retrieve it from its store $cert = Get-ChildItem -Path Cert:\LocalMachine\My -SSLServerAuthentication | Where { $_.NotAfter -gt (Get-Date) } # Export the public key Export-Certificate -Cert $cert -Type CERT -FilePath "~/documents/cert.$($cert.Thumbprint).cer" # Import the public key in the Root CA store Import-Certificate -FilePath "~/documents/cert.$($cert.Thumbprint).cer" -CertStoreLocation Cert:\LocalMachine\Root # View what certificate is being used (will show you the previous thumbprint) (Get-WebBinding -Protocol https).certificateHash # Update it (Get-WebBinding -Protocol https).AddSslCertificate( "$($cert.Thumbprint)","My" ) # Check that the new cert is being used (Get-WebBinding -Protocol https).certificateHash
I was able to use the Get-WsusServer immediately after switching to the valid new certificate in the same console where it previously failed 😀
Next step: distribute the exported public key to client computers using a GPO
Pingback: Dew Drop – March 1, 2019 (#2910) | Morning Dew