Enabling SSL on Windows Server Update Services (WSUS)

Here are the steps to configure SSL on your servers running the Windows Server Update Services.  This guide was written using Server 2012 R2, however it should be the same steps for Windows Server 2008 R2 as well.  This guide also assumes you have a working instance of WSUS installed and configured, using default ports.

  1. Login to your WSUS server
  2. Open up Server Manager
    Server 2012 R2 - Server Manager
  3. Select Tools -> Internet Information Services (IIS) Manager
    Server Manager - Tools - Internet Information Services IIS Manager
  4. Generate a SSL certificate
    1. Click on your Server and select Server Certificates
      Internet Information Services (IIS) Manager - Server Certificates
    2. If you have your own PKI environment, follow these steps, if not, jump to step three
      1. Click Create Domain Certificate on the right side
        Internet Information Services (IIS) Manager - Server Certificates - Create Domain Certificate
      2. Fill in the requested information on the Distinguished Name Properties page and click Next
        Internet Information Services (IIS) Manager - Server Certificates - Distinguished Name Properties
      3. Select your certificate authority and enter a friendly name (this can be anything), and then click Finish
      4. Internet Information Services (IIS) Manager - Server Certificates - Create Domain Certificate - Online Certification Authority
    3. If you need to submit a certificate request to an external certificate authority like Goaddy, Verisgn, Comodo; follow these steps
      1. Click Create Certificate Request on the right side
        Internet Information Services (IIS) Manager - Server Certificates - Create Certificate Request
      2. Fill out the Distinguished Name Properties and click Next
        Internet Information Services (IIS) Manager - Server Certificates - Request Certificate - Distinguished Name Properties
      3. Change the Bit length to 2048 and click Next
        Internet Information Services (IIS) Manager - Server Certificates - Request Certificate - Crytographic Service Provider Properties
      4. Select a location on where to place the CSR file that will be generated by the wizard and click Finish
        Internet Information Services (IIS) Manager - Server Certificates - Request Certificate - File Name
      5. At this point, send the request to your certificate authority (like GoDaddy, Verisign, or your own internal certificate authority). You should receive back a .cer file once the claim has been fulfilled.
      6. Click on Complete Certificate Request on the right side
        Internet Information Services (IIS) Manager - Server Certificates - Complete Certificate Request
      7. Select the .cer file that your public certificate authority provided you, type in a friendly name (this can be anything), select Web Hosting for the certificate store, and click OK
        Internet Information Services (IIS) Manager - Server Certificates - Request Certificate - Specify Certificate Authority Response
  5. Next, we need to bind the SSL certificate to your network adapter.
    1. Expand your server, expand Sites, and select WSUS Administration
      IIS - Sites - WSUS Administration
    2. Select Bindings… on the right side
      IIS - Bindings
    3. Select the https site and hit the Edit… button
      Site Bindings - Port 8531
    4. Select https for the type, select the SSL certificate you created above, and click OK
      IIS - Edit Site Binding - WSUS
    5. Click Close on the Site Bindings window
      IIS - Site Bindings - https
  6. Next, we need to enforce SSL encryption on the following virtual roots
    • ApiRemoting30
    • ClientWebService
    • DSSAuthWebService
    • ServerSyncWebService
    • SimpleAuthWebService

    1. Expand WSUS Administration and foreach of the directories above, complete the following steps
      1. Select the virtual site
        IIS - WSUS Administration
      2. Double click on SSL Settings
        IIS - WSUS Administration - SSL Settings
      3. Check Require SSL and leave client certificates to ignore
        IIS - WSUS Administration - SSL Settings - Require SSL
      4. Click Apply in the top right corner
        IIS - SSL Settings - Apply
  7. Next, we need to execute a command to tell WSUS to use ssl
    1. Open up an elevated command prompt
      Server 2012 - Administrative Command Prompt
    2. Navigate to your WSUS installation folder
      1. cd “c:\Program Files\Update Services\Tools”
        cmd - program files - update services - tools
    3. Execute the following command (replace your server with the correct FQDN)
      1. WSUSUtil.exe configuressl myserver.mydomain.local
        wsusutil configuressl
  8. Restart the WSUS server to make sure all changes take effect.  You should be able to bring up the WSUS management console if all went well.
  9. Configure your clients to connect via SSL to the WSUS server via Group Policy
    1. Login to your domain controller
    2. Open up Server Manager
      Server 2012 R2 - Server Manager
    3. Open up Group Policy Management
      Server Manager - Tools - Group Policy Management
    4. Right click on the policy you want to edit and select Edit
      Edit GPO
    5. Expand Computer Configuration -> Polices -> Administrative Templates -> Windows Components -> Windows Update
    6. Double click on Specify intranet Microsoft update service location
      Specify intranet Microsoft update service location
    7. Change the intranet update service url to https and specify port 8531 and then click Apply.
      Specify intranet Microsoft update service location - options

That should do it!  Try doing a gpupdate /force on your local machine and the check for windows updates.  If windows successfully completes checking for updates, you should be good to go! 🙂

Notes: Official documentation from Microsoft in regards to using SSL and WSUS can be found here: http://technet.microsoft.com/en-us/library/hh852346.aspx#consswsus

14 thoughts on “Enabling SSL on Windows Server Update Services (WSUS)

  1. Mark

    There is an error in your doco. You have in Step5 assigning the cert to the default website, instead of the WSUS Administration website

    Reply
    1. Jack Post author

      Hey Mark,

      Thank you for pointing this out! I have updated the document to reflect the correct settings.

      Appreciate the feedback!
      Jack

      Reply
  2. Anwar

    Hi Jack,

    Thanks for providing these instructions – very helpful!
    Does this also provide client authentication? In other words, does the WSUS server require WSUS clients to authenticate themselves to the WSUS server by providing a computer certificate?

    Thanks in advance,
    Anwar

    Reply
    1. Jack Post author

      This requires the client to use SSL to communicate with WSUS but does not require the client to authenticate itself with their computer certificate. I believe you can achieve this by checking Require in IIS instead of Ignore (as shown in step 6-3).

      Hope this helps,
      Jack

      Reply
  3. Lasse

    Exelent write-up.
    Maybe add that wildcard certificates are a NO-GO.
    And add the command for moving to port 443 / 80 instead of the 853x ports 🙂

    Reply
      1. Jack Post author

        There is no documentation by Microsoft stating that WSUS v3.0 supports or doesn’t support. In this case, based on forums and the blog, it appears there are issues with the WSUS service understanding wildcard certs properly.

        Reply
  4. Pingback: Migrer un serveur WSUS en SSL - TechSpaceTechSpace

  5. Mark

    How would you create a certificate to work with an external FQDN and internal FQDN using an internal root CA?

    Reply
  6. gaurav pandey

    At Step 6, by mistake I have applied “Require SSL” and “Ignore” on all subdirectories and the main directory “WSUS Administration” which broke something and WSUS is not showing the page and showing error with “Reset Server Node” button. Can you please guide, what setting I should choose for all those directory and subdirectories?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *