Quick tip: Renew a certificate used by WSUS

I failed to update the certificate of a WSUS sever before it expired 😦
Here’s what error message I got when I tried to use the cmdlet: Get-WsusServer : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

Here’s what I did to replace my expired certificate by a valid one:

# Create a self signed certificate
$SelfSignedHT = @{
 DnsName = "$($env:COMPUTERNAME).myfqdn".ToLower()
 CertStoreLocation = "Cert:\LocalMachine\My"
New-SelfSignedCertificate @SelfSignedHT

# Retrieve it from its store
$cert = Get-ChildItem -Path Cert:\LocalMachine\My -SSLServerAuthentication | 
Where { $_.NotAfter -gt (Get-Date) }

# Export the public key
Export-Certificate -Cert $cert -Type CERT -FilePath "~/documents/cert.$($cert.Thumbprint).cer"

# Import the public key in the Root CA store
Import-Certificate -FilePath "~/documents/cert.$($cert.Thumbprint).cer" -CertStoreLocation Cert:\LocalMachine\Root

# View what certificate is being used (will show you the previous thumbprint)
(Get-WebBinding  -Protocol https).certificateHash

# Update it
(Get-WebBinding  -Protocol https).AddSslCertificate(

# Check that the new cert is being used
(Get-WebBinding  -Protocol https).certificateHash

I was able to use the Get-WsusServer immediately after switching to the valid new certificate in the same console where it previously failed 😀

Next step: distribute the exported public key to client computers using a GPO

1 thought on “Quick tip: Renew a certificate used by WSUS

  1. Pingback: Dew Drop – March 1, 2019 (#2910) | Morning Dew

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.