Certificate Management

1. The certificate management screen is opened by going to Settings > General > Certificate Management.

2. Certificates with a wildcard (*) from the Selected Certificate list are eligible certificates. This certificate is the certificate obtained in the Code signing certificate generation step.

3. Another method of selecting the code signing certificate, if the PFX version of the certificate is available, click the Import Certificate button.

4. On the Open screen, the certificate with the PFX extension is selected and opened,

5. Enter the password of the PFX certificate in the pop-up window and click OK.

Code Signing certificate imported with one of these 2 methods will be the certificate that WSUS software will use. Valid is written in the Certificate Status field, and the validity period of the certificate is written in the Expiration Date field. These areas are shown in green.

Import Certificate: It is used to import Code-Signing certificate with PFX extension. You need the password of the certificate when importing the PFX file. After the certificate is imported, the configuration must be saved by clicking the save button.

Generate Self-Signed: It is used to manually generate the required Code-Signing certificate for WSUS. This certificate needs to be distributed to all client systems manually or via GPO. You can export the certificate with the Export Certificate button. After the certificate is generated, the configuration must be saved by clicking the save button.

Show Certificate: It is used to display the properties of the selected and loaded certificate.

Export Certificate: It is used to export the selected and loaded certificate for Code-Signing for backup purposes. When exporting the certificate, a password must be specified as it will be exported together with the private key. It is important that this password is not forgotten. You will need this password during the import process.

Timestamp Server

A timestamp server, also known as a time-stamping authority (TSA), is a trusted third-party service that provides a digital timestamp to a document, file, or message.

A digital timestamp is a cryptographic hash of the data that is encrypted with a private key owned by the timestamp server. This encrypted hash is then attached to the original data, allowing anyone who has the public key of the timestamp server to verify that the data existed at a specific point in time and has not been altered since then.

The purpose of a timestamp server is to provide a way to prove the integrity and authenticity of electronic records and documents over time, even if the original digital signatures or certificates expire or become invalid. This is especially important in industries such as finance, legal, and healthcare, where records must be kept for long periods of time and need to be verifiable.

Timestamp servers are typically used in conjunction with digital signature software, where a user signs a document using their private key and the timestamp server provides a digital timestamp to the signed document. This ensures that the document was signed at a specific point in time and has not been altered since then.

A desired timestamp server is selected from the Timestamp Server URL list. It is important that this address is accessible. It can be understood that it is accessible by pressing the ping button. Attention, the addresses shown here may not be page addresses that can be opened via browsers. They are services that run over TCP 80 and TCP 443.

You can any Timestamp server from the list and then click save button. The connection test to the timestamp server can be done with the ping button. Its important that the timestamp server address looks like a web address but a web page may not be published here. Timestamp server is a service that broadcasts on TCP ports 80 or 443.