"WSUS uses SSL for metadata only, not for update files. This is the same way that Microsoft Update distributes updates. Microsoft reduces the risk of sending update files over an unencrypted channel by signing each update. In addition, a hash is computed and sent together with the metadata for each update. When an update is downloaded, WSUS checks the digital signature and hash. If the update has been changed, it is not installed."
Pre-requisites:
- Instructions assume public domain
- Ports 8531 and 8530 must be open for communication for SSL on WSUS to work properly.
Steps demonstrating how to configure SSL on servers running the Windows Server Update Services.
- Login to your WSUS server
- Open up Server Manager
- Select Tools -> Internet Information Services (IIS) Manager
- Generate a SSL certificate
- Click on your Server and select Server Certificates
- If you have your own PKI environment, follow these steps, if not, jump to step three
- Click 'Create Self-Signed Certificate' on the right side. (you can also create a domain certificate if you would like but it is not specified in this manual).
- Fill in the field “Specify a friendly name for the certificate”. Select the “Web Hosting” certificate from the drop down menu. Click OK.
-
Open Sites in the connection tree > Click 'WSUS Administration'
- Under Actions column to your right, click on Bindings
- Select the 'https 8531' row and click edit
- Select the SSL certificate you have just created in the dropdown list. Click 'View'
-
Copy to clipboard the FQDN of the 'Issued to' server. Click OK.
- Enter the hostname you have copied in the previous step to the Host name field. Click OK and then click close
Note: Ensure the value you use in the Host name field is a FQDN. A ping from the Endpoint/s to the WSUS FQDN should be resolved to the correct IPv4 address -
Under the 'WSUS Administration' tree click on 'ClientWebService' and then double click on the 'SSL Settings'.
-
Mark the 'Require SSL' checkbox and then click Apply.
- Repeat the last two steps (9,10) for:
- 'DssAuthWebService'
- 'ServerSyncWebService'
- 'SimpleAuthWebService'. Close Internet Information Services (IIS) Manager.
- Start a command prompt in Administrator mode.
- Change directory to C:\Program Files\Update Services\Tools.
- Run WsusUtil.exe configuressl <FQDN>.
- Make sure you get a similar URL response as seen in the screenshot.
- Close the command prompt.
- The next step would be to export the certificate. Run MMC in Administrator mode. Click
- File>Add/Remote Snap-in
- Click on Certificates > Click Add.
- Click the radio button 'Computer account'. Click Next.
- Click on the Finish button
- Click OK
- Expand the Certificates (Local Computer) \ Trusted Root Certification Authorities and click on Certificates. Right-click on the certificate that matches the FQDN of this server. Click All Tasks > Export. The exported certificate can be used on WSUS client servers.
- Done!
- Click on your Server and select Server Certificates
Next Step
In order to enable secure communication between WSUS and the Windows endpoint you need:
- The WSUS certificate on the endpoints in both "Trusted Root" and "Trusted Publisher" on each client computer local certificate store
- Enable signed updates from an intranet update location.
- If your endpoints have already been configured to use WSUS over 8530, then you will also need to update the intranet Microsoft update service to https:// and 8531 (eg: https://your_wsus_server_hostname:8531)
Comments
2 comments
Hi,
Thanks for that article, you should add the information that the certicat must be imported to all the clients in both the Trusted Root and Trusted Publishers
i ve lost a lot of time finding that it must be in those 2 places ;)
Also, on each clients you must use gpedit.msc and go local computer > computer configuration > administrative templates > windows components > Windows update
Then set ENABLED the option Allow Signed update from an intranet microsoft update location
Please sign in to leave a comment.