Articles in this section

See more

Enabling SSL on WSUS 

Note from Microsoft:

"WSUS uses SSL for metadata only, not for update files. This is the same way that Microsoft Update distributes updates. Microsoft reduces the risk of sending update files over an unencrypted channel by signing each update. In addition, a hash is computed and sent together with the metadata for each update. When an update is downloaded, WSUS checks the digital signature and hash. If the update has been changed, it is not installed."

Thus, ports 8531 and 8530 must be open for communication for SSL on WSUS to work properly.

Steps demonstrating how to configure SSL on servers running the Windows Server Update Services.

  1. Login to your WSUS server
  2. Open up Server Manager        Server 2012 R2 - Server Manager
  3. Select Tools -> Internet Information Services (IIS) Manager Server Manager - Tools - Internet Information Services IIS Manager
  4. Generate a SSL certificate
    1. Click on your Server and select Server Certificates Internet Information Services (IIS) Manager - Server Certificates
    2. If you have your own PKI environment, follow these steps, if not, jump to step three
      1. Click 'Create Self-Signed Certificate' on the right side. (you can also create a domain certificate if you would like but it is not specified in this manual).
      2. Screen_Shot_2020-05-13_at_11.24.25_AM.png
      3. Fill in the field “Specify a friendly name for the certificate”.  Select the “Web Hosting” certificate from the drop down menu.  Click OKScreen_Shot_2020-05-13_at_11.25.22_AM.png

      4. Open Sites in the connection tree > Click 'WSUS Administration'Screen_Shot_2020-05-13_at_11.26.48_AM.png

      5. Under Actions column to your right, click on Screen_Shot_2020-05-13_at_11.29.21_AM.png
      6. Select the 'https 8531' row and click editScreen_Shot_2020-05-13_at_11.31.32_AM.png
      7.  Select the SSL certificate you have just created in the dropdown list. Click 'View'Screen_Shot_2020-05-13_at_11.34.24_AM.png

      8. Copy to clipboard the FQDN of the 'Issued to' server.  Click OK.Screen_Shot_2020-05-13_at_11.36.55_AM.png

      9. Enter the hostname you have copied in the previous step to the Host name field. Click OK and then click close
        Note: Ensure the value you use in the Host name field is a FQDN. A ping from the Endpoint/s to the WSUS FQDN should be resolved to the correct IPv4 address

      10. Screen_Shot_2020-05-13_at_11.38.45_AM.png

      11. Under the 'WSUS Administration' tree click on 'ClientWebService' and then double click on the 'SSL Settings'.Screen_Shot_2020-05-13_at_11.54.59_AM.png

      12. Mark the 'Require SSL' checkbox and then click Apply.Screen_Shot_2020-05-13_at_11.57.02_AM.png

      13. Repeat the last two steps (9,10) for:
        1. 'DssAuthWebService'
        2. 'ServerSyncWebService'
        3. 'SimpleAuthWebService'. Close Internet Information Services (IIS) Manager.Screen_Shot_2020-05-13_at_11.57.02_AM.png 
      14.  Start a command prompt in Administrator mode. 
        1. Change directory to C:\Program Files\Update Services\Tools. 
        2. Run WsusUtil.exe configuressl <FQDN>. 
        3. Make sure you get a similar URL response as seen in the screenshot.
        4. Close the command prompt.giliprompt.jpg
      15. The next step would be to export the certificate. Run MMC in Administrator mode.  Click
      16. File>Add/Remote Snap-in
        1.png
      17. Click on Certificates >  Click Add.
        2.png
      18.  Click the radio button 'Computer account'.  Click Next.
        3.png
      19. Click on the Finish button
        4.png
      20. Click OK
        5.png
      21.  Expand the Certificates (Local Computer) \ Trusted Root Certification Authorities and click on Certificates.  Right-click on the certificate that matches the FQDN of this server.  Click All Tasks > Export. The exported certificate can be used on WSUS client servers.gilicropped.jpg
      22. Done!

Next Step

In order to enable secure communication between WSUS and the Windows endpoint you need to install the self-signed WSUS certificate on the endpoints in both "Trusted Root" and "Trusted Publisher" on each client computer local certificate store and enable signed updates from an intranet update location.

See article

Related articles

Comments

2 comments

Date Votes
  • Marc Sorbier

    Hi,

    Thanks for that article, you should add the information that the certicat must be imported to all the clients in both the Trusted Root and Trusted Publishers

    i ve lost a lot of time finding that it must be in those 2 places ;)

    0
    Comment actions Permalink
  • Marc Sorbier

    Also, on each clients you must use gpedit.msc and go local computer > computer configuration > administrative templates > windows components > Windows update 

    Then set ENABLED the option Allow Signed update from an intranet microsoft update location

    0
    Comment actions Permalink

Please sign in to leave a comment.