Export SCUP Self-Signed Certificate on Server 2012

Last week I had a problem. It was not possible to export the WSUS Publishers Self-signed Certificate with the private key.

WindowsServer2012_ExportPrivateKeyNotPossible   WindowsServer2012_PrivateKeyIsAvailable

 

To solve this issue, you have to grant permission on the private key file in the file system to your user. Per default only the WsusCertServer and the System account have access to it. The files could be found under:

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

There are several ways to determine the correct file. I mostly compare the creation date of the certificate and the creation date of the file. Normally the permissions look like in the next screenshot.

WindowsServer2012_PermissionsOnPrivateKey_001 

First you have to take ownership of the file.

 

WindowsServer2012_PermissionsOnPrivateKey_002

Then you are able to grant permissions according to your needs on the file.

WindowsServer2012_PermissionsOnPrivateKey_003

After that you can go back to the Certificate Console and export the certificate with the private key.

WindowsServer2012_ExportPrivateKeyPossible

Thomas Kurth
Follow me

Thomas Kurth

Principal Workplace Consultant at baseVISION AG
I’m a consultant, trainer and architect for workplace management and enterprise mobility projects with Microsoft Technologies in the past eight years. I love to push and design the modern workplace based on Windows 10, EM&S and O365 for my customers which is the only answer for the current security threats, agile world and the fast-changing business requirements of my customers. Important for me is to simplify and automate the operational processes, because there are the highest costs.

MCSEMCTCMCE
Thomas Kurth
Follow me