How To: Configure IIS to Use SSL Connections on Your WSUS Server - Self-Signed Certificate

Version 13

    Purpose

     

    If you have created your code signing certificate using an internal CA, the Shavlik Patch plugin gives you the ability to import this certificate via the Shavlik Patch Settings on the WSUS Server tab. However, to be able to use the import function it is required to have an SSL connection to the WSUS server. As part of the SSL configuration, another type of Server certificate, a SSL Server Certificate, is required for the secure communication between the SCCM and the WSUS servers. This document is meant to provide some details about how to create a self signed SSL certificate and configure IIS to use SSL on your WSUS server for use with Shavlik Patch for Microsoft System Center.

     

    Shavlik does not provide support for Microsoft products such as Configuration Manager, WSUS, or IIS. If you face trouble in setting up these prerequisites to installing the Shavlik Patch plugin it would be best to work directly with Microsoft support.

     

    Description

     

    The steps below show how to configure IIS on the WSUS Server to use SSL. You will need to have the IIS role and functionality working prior to performing these steps. This documentation was created using a Windows Server 2012 R2 environment.

     

    1) Ensure that Server Manager is opened (run as administrator), and click Tools > Internet Information Services (IIS) Manager.

    image186.png

     

    2)  Click the server node in the Connections tree. Double-click "Server Certificates".

    image187.png

     

    3)  Click "Create Self-Signed Certificate...".

    image188.png

     

    4)  Fill in the edit field “Specify a friendly name for the certificate”.  Select the “Web Hosting” certificate store.  Click OK.

    image189.png

     

    5)  Click “WSUS Administration” in the Connections tree.

    image190.png

     

    6)  Click “Bindings…” in the Actions column.

    image191.png

     

    7)  Click “https 8531”.  Click “Edit…”.

    image192.png

     

    8)  Select the SSL certificate you just created in the dropdown box.  Click “View…”.

    image193.png

     

    9)  Note the FQDN of the “Issued to” server.  Click OK.

    image194.png

     

    10)  Enter FQDN host name you remembered from the Certificate window.  Click OK.

    image195.png

     

    11)  Click Close.

    image196.png

     

    12)  Expand “WSUS Administration” in the Connections tree.  Click on ClientWebService.  Double-click “SSL Settings”.

    image197.png

     

    13)  Click the checkbox “Require SSL”.  Click Apply.

    image198.png

     

    14)  Repeat the last two steps for “DssAuthWebService”, “ServerSyncWebService”, and “SimpleAuthWebService”.  Close Internet Information Services (IIS) Manager.

    image199.png

     

    15)  Start a command prompt in Administrator mode.  Change directory to C:\Program Files\Update Services\Tools.  Run WsusUtil.exe configuressl <FQDN>.  Make sure you get a similar URL response as shown.  Close the command prompt.

    image200.png

     

    16)  Now you need to export the certificate. Run MMC in Administrator mode.  Click File->Add/Remote Snap-in…

    image201.png

     

    17)  Click Certificates.  Click Add.

    image202.png

     

    18)  Click the radio button “Computer account”.  Click Next.

    image203.png

     

    19)  Click Finish.

    image204.png

     

    20)  Click OK.

    image205.png

     

    21)  Expand the Certificates (Local Computer) \ Trusted Root Certification Authorities and click on Certificates.  Right-click on the certificate that matches the FQDN of this server.  Click All Tasks > Export…

    image206.png

     

    22)  Once you export the certificate, you will need to copy the certificate to your SCCM system(s) that will need to connect to the WSUS server, and ensure it this certificate is imported to the Trusted Root Certification Authorities > Certificates on any of those systems.

     

    23) Once this is configured you should then be able to connect using SSL via the Shavlik Patch plugin settings. If you have the Shavlik Patch plugin installed in SCCM, go to Software Library > Software Updates > right click on 'Shavlik Patch', then choose Settings.

     

    24) Go to the WSUS Server tab. You can now choose Port 8531 and check the box for 'Use Secure Sockets Layer (SSL) to connect to this server. Test the connection, and then click the 'Import' button to import your code-signing certificate.

    Capture-WSUScert.JPG

     

     

    Additional Information

     

    For more information refer to the following resources:

    Technet - Secure the WSUS 3.0 SP2 Deployment

    Microsoft's documentation on System Center 2012 at http://technet.microsoft.com/en-us/library/hh546785.aspx

    Shavlik Patch for Microsoft System Center Documentation

     

    Affected Product(s)

     

    Shavlik Patch for Microsoft System Center

    (Formerly Shavlik SCUPdates)