How To: Configure IIS to Use SSL Connections on a WSUS Server to Allow the Import of a Code Signing Certficate1

Version 7



    If you have created your code signing certificate using an internal CA, the Shavlik Patch plugin gives you the ability to import this certificate via the Shavlik Patch Settings on the WSUS Server tab. However, to be able to use the import function, a SSL connection to the WSUS server is required . As part of the SSL configuration, another type of Server certificate, a SSL Server Certificate, is needed for the secure communication between the SCCM and the WSUS servers. Before configuring IIS to use SSL on your WSUS server , you need to create a self signed SSL certificate or request a SSL certificate.


    Shavlik does not provide support for Microsoft products such as Configuration Manager, WSUS, or IIS. If you face trouble in setting up these prerequisites to installing or configuring the Shavlik Patch plugin, you should contact Microsoft Support directly.




    Before following the steps using the Microsoft Web links below, the IIS role should enabled and functional.


    1. Create a self signed certificate using instructions at Create a Self-Signed Server Certificate in IIS 7 or if using PKI,  Designing and Implementing a PKI: Part IV Configuring SSL for Web Enrollment and Enabling Key Archival
    2. Configure WSUS to use SSL using instructions at How to Configure the WSUS Web Site to Use SSL
    3. Export the SSL Certificate using instructions found at Export a Server Certificate (IIS 7)  .
    4. Copy the certificate to your SCCM system(s) that will need to connect to the WSUS server, and ensure that this certificate is imported to the Trusted Root Certification Authorities > Certificates on any of those systems.

    The Microsoft links above are provided as a courtesy by Shavlik.  Any questions or troubleshooting related to Configuration Manager, WSUS, or IIS should be addressed to Microsoft Support


    After the above Microsoft environmental prerequisites are met,  configure the Shavlik Patch Plug-In to connect to the WSUS Server over SSL .

    1. In the SCCM Console, select Software Library > Software Updates > right click on 'Shavlik Patch', then choose Settings.
    2. Select the WSUS Server tab,  choose Port 8531 and check the box for 'Use Secure Sockets Layer (SSL) to connect to this server. Test the connection, and click the 'Import' button to import your code-signing certificate.




    Additional Information


    For more information refer to the following resources:

    Configuring Server Certificates in IIS 7

    TechNet - Secure the WSUS 3.0 SP2 Deployment

    Microsoft's documentation on System Center 2012 at

    Shavlik Patch for Microsoft System Center Documentation


    Affected Product(s)


    Shavlik Patch for Microsoft System Center

    (Formerly Shavlik SCUPdates)