How To: Configure IIS to Use SSL Connections on a WSUS Server to Allow the Import of a Code Signing Certificate

Version 8



    If you have created your code signing certificate using an internal CA, the Shavlik/Ivanti Patch for SCCM plugin gives you the ability to import this certificate via the Patch Settings on the WSUS Server tab. However, to be able to use the import function, a SSL connection to the WSUS server is required . As part of the SSL configuration, another type of Server certificate, a SSL Server Certificate, is needed for the secure communication between the SCCM and the WSUS servers. Before configuring IIS to use SSL on your WSUS server, you need to create a self signed SSL certificate or request a SSL certificate.

    Ivanti support does not provide support for Microsoft products such as Configuration Manager, WSUS, or IIS. If you face trouble in setting up these prerequisites to installing or configuring the Shavlik Patch plugin, you should contact Microsoft Support directly.




    Before following the steps using the Microsoft Web links below, the IIS role should enabled and functional.


    1. Create a self signed certificate using instructions at Create a Self-Signed Server Certificate in IIS 7 or if using PKI,  Designing and Implementing a PKI: Part IV Configuring SSL for Web Enrollment and Enabling Key Archival
    2. Configure WSUS to use SSL using instructions at How to Configure the WSUS Web Site to Use SSL
    3. Export the SSL Certificate using instructions found at Export a Server Certificate (IIS 7)  .
    4. Copy the certificate to your SCCM system(s) that will need to connect to the WSUS server, and ensure that this certificate is imported to the Trusted Root Certification Authorities > Certificates on any of those systems.


    The Microsoft links above are provided as a courtesy by Ivanti Support.  Any questions or troubleshooting related to Configuration Manager, WSUS, or IIS should be addressed to Microsoft Support.


    After the above Microsoft environmental prerequisites are met,  configure the Shavlik/Ivanti Patch Plug-in to connect to the WSUS Server over SSL .

    1. In the SCCM Console, select Software Library > Software Updates > right click on 'Shavlik/Ivanti Patch', then choose Settings.
    2. Select the WSUS Server tab,  choose Port 8531 and check the box for 'Use Secure Sockets Layer (SSL) to connect to this server. Test the connection, and click the 'Import' button to import your code-signing certificate.




    Additional Information


    For more information refer to the following resources:


    Affected Product(s)


    Shavlik Patch for SCCM

    Ivanti Patch for SCCM