Hi, I will assume that your Wsus-Servant is a Wsus Downstream server and Wsus-Main is the Upstream server.
Your workstations pulls updates from the downstream server, so the downstream server needs to get updates from the upstream server, so the downstream server needs to trust the upstream server.
You have to add the code signing certificate into the 'Trusted Publisher' store of the downstream server. If the certificate is an self-signed cert then the same certificate must be add to the "Trusted Authority" on the downstream server. Otherwise you have to add the certificate of the root authority that have issued out the code signing certificate, into the "Trusted Authority" . This will allow the downstream server to pull locally published updates from the upstream server.
If you want to locally publish onto the downstream server directly, you have to create a self-signed code signing certificate from the downstream server (don't forget to spread this certificate onto clients workstations).
I do recommend to publish only on the upstream server, because it's much more complicated to manage certificate otherwise.
Your workstations pulls updates from the downstream server, so the downstream server needs to get updates from the upstream server, so the downstream server needs to trust the upstream server.
You have to add the code signing certificate into the 'Trusted Publisher' store of the downstream server. If the certificate is an self-signed cert then the same certificate must be add to the "Trusted Authority" on the downstream server. Otherwise you have to add the certificate of the root authority that have issued out the code signing certificate, into the "Trusted Authority" . This will allow the downstream server to pull locally published updates from the upstream server.
If you want to locally publish onto the downstream server directly, you have to create a self-signed code signing certificate from the downstream server (don't forget to spread this certificate onto clients workstations).
I do recommend to publish only on the upstream server, because it's much more complicated to manage certificate otherwise.
