I failed to update the certificate of a WSUS sever before it expired 😦
Here’s what error message I got when I tried to use the cmdlet: Get-WsusServer : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Here’s what I did to replace my expired certificate by a valid one:
# Create a self signed certificate
$SelfSignedHT = @{
DnsName = "$($env:COMPUTERNAME).myfqdn".ToLower()
CertStoreLocation = "Cert:\LocalMachine\My"
}
New-SelfSignedCertificate @SelfSignedHT
# Retrieve it from its store
$cert = Get-ChildItem -Path Cert:\LocalMachine\My -SSLServerAuthentication |
Where { $_.NotAfter -gt (Get-Date) }
# Export the public key
Export-Certificate -Cert $cert -Type CERT -FilePath "~/documents/cert.$($cert.Thumbprint).cer"
# Import the public key in the Root CA store
Import-Certificate -FilePath "~/documents/cert.$($cert.Thumbprint).cer" -CertStoreLocation Cert:\LocalMachine\Root
# View what certificate is being used (will show you the previous thumbprint)
(Get-WebBinding -Protocol https).certificateHash
# Update it
(Get-WebBinding -Protocol https).AddSslCertificate(
"$($cert.Thumbprint)","My"
)
# Check that the new cert is being used
(Get-WebBinding -Protocol https).certificateHash
I was able to use the Get-WsusServer immediately after switching to the valid new certificate in the same console where it previously failed 😀
Next step: distribute the exported public key to client computers using a GPO
>_ 
Pingback: Dew Drop – March 1, 2019 (#2910) | Morning Dew