Configuring SSL between WSUS servers (Upstream and Downstream Servers)

From the server Manager,
– Tools
– Open IIS

  • Click on the IIS Server Node:
  • double click on the Server Certificate

 

Click on Import (and import the SSL certificate in .pfx format and enter the passwd)

Note: This should be replaced when expired—–>to ensure connectivity between the upstream and downstream servers.

Note: The certificate of the certification authority (CA) must be imported into the local computer Trusted Root CA store, or the Windows Server Update Service Trusted Root CA store on downstream WSUS servers. if the certificate is only imported to the Local User Trusted Root CA store, the downstream WSUS server will not be authenticated on the upstream server.

Note: You must import the certificate to all computers that will communicate with the WSUS server. This includes all client computers, downstream servers, and computers that run the WSUS Administration Console. The certificate should be imported into the local computer Trusted Root CA store or into the Windows Server Update Service Trusted Root CA store.
https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus

We have to bind the SSL certificate to your network adapter.

  • Expand your server, expand Sites, and select WSUS Administration

Under Actions, click on Bindings

The binding windows opens,

Click on Edit and enter the host names (Select the cert for https)

Now enforce the SSL encryption on the following virtual roots listed below
Note: Ensure to repeat all steps for each directory listed below

https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus

  • ApiRemoting30
  • ClientWebService
  • DSSAuthWebService
  • ServerSyncWebService

SimpleAuthWebService

Select the directory (virtual root) e.g  ClientWebService and double click on SSL Settings

Check the require SSL  and under Actions click on Apply

Let’s instruct WSUS to make use of SSL, and this can be done via the command line.

Navigate to the WSUS installation path C:\Program Files\Update Services\Tools as shown below on your Server

Run the WsusUtil.exe as shown above followed by configuressl and the FQDN as shown below

The result would be this

Finally, restart the WSUS server to make sure all changes take effect.  This should enable access to the  WSUS management console if everything is okay.

Note: You can witness some weird issues after configuring SSL, simply use these link
wsusutil usecustomwebsite false
wsusutil usecustomwebsite true

C:\Program Files\Update Services\Tools\WSUSutil usecustomwebsite false

  • And rerun

C:\Program Files\Update Services\Tools\WSUSutil usecustomwebsite True

Note: All your downstream servers will still be connected to the upstream using port 8531. Note you will have to have all the rules in place to allow this.
– And you can additionally reconfigure using the configuressl from this path C:\Program Files\Update Services\Tools\WSUSutil

https://community.spiceworks.com/topic/2036819-windows-wsus-error

Change default WSUS port from 8530 to 80 on Windows Server 2012

Note: You can setup your own CA: (Enterprise root CA)
http://www.vkernel.ro/blog/install-certification-authority-in-windows-server-2008-r2

http://jackstromberg.com/2013/11/enabling-ssl-on-windows-server-update-services-wsus/
http://jackstromberg.com/2013/11/enabling-ssl-on-windows-server-update-services-wsus/
https://community.spiceworks.com/topic/452180-setting-up-ssl-with-wsus
http://www.vkernel.ro/blog/configure-wsus-to-use-ssl