Articles in this section

See more

Enabling  SSL on WSUS 

Todd Kirkland
  • Updated
Follow

Steps demonstrating how to configure SSL on servers running the Windows Server Update Services.

  1. Login to your WSUS server
  2. Open up Server Manager        Server 2012 R2 - Server Manager
  3. Select Tools -> Internet Information Services (IIS) Manager Server Manager - Tools - Internet Information Services IIS Manager
  4. Generate a SSL certificate
    1. Click on your Server and select Server Certificates Internet Information Services (IIS) Manager - Server Certificates
    2. If you have your own PKI environment, follow these steps, if not, jump to step three
      1. Click 'Create Self-Signed Certificate' on the right side. (you can also create a domain certificate if you would like but it is not specified in this manual).
      2. Screen_Shot_2020-05-13_at_11.24.25_AM.png
      3. Fill in the field “Specify a friendly name for the certificate”.  Select the “Web Hosting” certificate from the drop down menu.  Click OKScreen_Shot_2020-05-13_at_11.25.22_AM.png

      4. Open Sites in the connection tree > Click 'WSUS Administration'Screen_Shot_2020-05-13_at_11.26.48_AM.png

      5. Under Actions column to your right, click on Screen_Shot_2020-05-13_at_11.29.21_AM.png
      6. Select the 'https 8531' row and click editScreen_Shot_2020-05-13_at_11.31.32_AM.png
      7.  Select the SSL certificate you have just created in the dropdown list. Click 'View'Screen_Shot_2020-05-13_at_11.34.24_AM.png

      8. Copy to clipboard the FQDN of the 'Issued to' server.  Click OK.Screen_Shot_2020-05-13_at_11.36.55_AM.png

      9. Enter the hostname you have copied in the previous step to the Host name field. Click OK and then click close
        Note: Ensure the value you use in the Host name field is a FQDN. A ping from the Endpoint/s to the WSUS FQDN should be resolved to the correct IPv4 address

      10. Screen_Shot_2020-05-13_at_11.38.45_AM.png

      11. Under the 'WSUS Administration' tree click on 'ClientWebService' and then double click on the 'SSL Settings'.Screen_Shot_2020-05-13_at_11.54.59_AM.png

      12. Mark the 'Require SSL' checkbox and then click Apply.Screen_Shot_2020-05-13_at_11.57.02_AM.png

      13. Repeat the last two steps (9,10) for:
        1. 'DssAuthWebService'
        2. 'ServerSyncWebService'
        3. 'SimpleAuthWebService'. Close Internet Information Services (IIS) Manager.Screen_Shot_2020-05-13_at_11.57.02_AM.png 
      14.  Start a command prompt in Administrator mode. 
        1. Change directory to C:\Program Files\Update Services\Tools. 
        2. Run WsusUtil.exe configuressl <FQDN>. 
        3. Make sure you get a similar URL response as seen in the screenshot.
        4. Close the command prompt.giliprompt.jpg
      15. The next step would be to export the certificate. Run MMC in Administrator mode.  Click
      16. File>Add/Remote Snap-in image201.png
      17. Click on Certificates >  Click Add.image202.png
      18.  Click the radio button 'Computer account'.  Click Next.image203.png
      19. Click on the Finish buttonimage204.png
      20. Click OKimage205.png
      21.  Expand the Certificates (Local Computer) \ Trusted Root Certification Authorities and click on Certificates.  Right-click on the certificate that matches the FQDN of this server.  Click All Tasks > Export. The exported certificate can be used on WSUS client servers.gilicropped.jpg
      22. Done!

 

Related articles

Comments

0 comments

Please sign in to leave a comment.