Informations, tips and technics.

WSUS Installation with SSL

I would like to share with you some stuff that could help you with an new installation of WSUS (Windows Server Update Service 3).

In fact the setup itself is quite straitforward, the only thing that you have to care about is :

  • If possible, put the WSUS server in a Active Directory domainb because that way it will be simplier to administer the computers, groups and the certificate if you use SSL
  • Put the database of WSUS and the downloaded files on a bug disk and if possible in a different drive than the one where the OS and SQLServer will be installed
  • If you have SQLServer 2005 you can use it instead of the embeded version shipped with this tool but in any case, do not use the SQLServer 2005 Express edition simply because this version has some limitation that the embeded version (Windows Internal Database as Windows reports it) has not like the amount of memory you can give to the server, the number of CPU that SQLServer can use and the database size. (ref : http://blogs.codes-sources.com/christian/archive/2007/04/19/sql-server-2005-sql-server-embedded-edition-windows-internal-database.aspx)
  • Well maybe this embeded version is cool but what if you want to manage it a little more? Well you have the option to install and use the SQLServer Management Studio Express and as a parameter of the connection, use :
  • For the backup now. Well, in my case I use a simple script that :
    • Create the backup of the WSUS database using NTBACKUP by command line
    • Then, use 7-zip to compress the resulting file (NTBackup does not …)
      Here is the listing :
      REM Date 1 have now the yyymmdd date format
      for /f “tokens=1-3 delims=/ ” %%a in (‘date/t’) do set Date1=%%c%%a%%b
      REM delete of the old bkf file, the echo y| stuff if to auto-confirm
      echo y|del D:\*.bkf
      ntbackup backup D:\Databases\WSUS\UpdateServicesDbFiles\  /J “WSUS Databases backup” /FU /V:yes /HC:on /L:f /F “D:\WSUS_DB_BCK_%Date1%.bkf”
      cd “C:\Program Files\7-Zip”
      7z.exe a -tzip d:\WSUS_DB_BCK_%Date1%.bkf.zip “d:\WSUS_DB_BCK_%Date1%.bkf”
      echo y|del D:\WSUS_DB_BCK_%Date1%.bkf

Here is the basic. I will not go into configuring the entire system because you are big boys and some configurations may differ depending how your setup is.

 Anyway, for the SSL part now.

Just remember that when WSUS is configured to use SSL, in fact SSL will not be used to encrypt the transfert of the patchs or updates. This part is done by the BITS system (I really don’t know if the file transfert is encrypted or not). SSL will be used to secure communications for :

  • The remote console with the server itself (which is accessible using IIS)
  • Communication between client (computers and servers) and the WSUS server when they request about new updates or send status reports
  • Communication between and upstream server and a downstream server

That’s all.

Now see what will be the process to use SSL.

  • Install Certificate Service for Windows (this is good when you don’t want to pay for a certificate and when you want to only udpates internals systems)
  • Generate the certificate for the web server
  • Configure IIS to use SSL
  • Configure the console to connect using SSL
  • Deploy the certificate on the clients machines and on other remote WSUS administration console

 You want details now? Here they are :

 Install ‘Certificate Service’

  • Control Panel / Add Remove programs / Add remove windows components  and select ‘Certificate Service’
  • Confirm (Yes), Next
  • Choose what ‘kind’ of CA you want to install (in my case Stand Alone Root CA)
  • Choose a common name (the name of the server) WSUSSRV
  • Distinguish name suffix dc=yourdomain,dc=com
  • Validity perdiod 5 years
  • Next. A message may popup if you already have installed and then uninstalled Certificate Service : ‘The private key “WSUSSRV” already exists. Do you want to overwrite this key with a new one?’, confirm by ‘Yes’
    Certificate Service setup will generate a new key
  • Options Certificate database C:\WINDOWS\system32\CertLog
  • Certificate database log C:\WINDOWS\system32\CertLog
  • Shared folder C:\CAConfig
  • Next. A message will popup saying that IIS will be restarted, confirm ‘Yes’
    Certificate Service setup will then install and copy some files (the Windows CD maybe required)
  • Finish 

Certificate request for the WSUS web site

  • In IIS, right click on the WSUS web site and then Properties\Directory Security\Secured Communications
  • Click on ‘Server certificate’, Next 
  • Create new certificate
  • Choose Prepare request now but send it later, Next
  • Bit length  1024
  • Do not check the option ‘Select cryptographic service provider (CSP) for this certificate’ , Next
  • Organization : your organization
  • Organizational unit : again, you know your company better than me
  • Next
  • Common name WSUSSRV
  • Next
  • Country/Region : CA (canada) (at least for me, you know where you live)
  • State/Province : Québec
  • City/Locality : Montréal
  • Next
  • Give the path and the file name for the certificate request file :
  • Next, Next, Finish

 Installation and Approval of the certificate request

  • Programs /Administrative Tools / Certification Authority 
  • Right click on the name of the server then, All tasks / Submit new request
  • Give the path of the the certificate request you have just done earlier
  • Click in the folder ‘Pending Requests’
  • Select the certificate in the right pane (Ex : Request id 2)
  • Right click / All tasks / Issue 
  • Do to the folder ‘Issued Certificates’
  • Select in the right pane the certificate that we have just issued
  • Double click on the certificate (Ex : Request id 2)
  • In the Detail tab click on ‘Copy to file’, Next
  • Select the format (Base-64 encoded x509 (DER)), Next
  • Give the path and the name of the file
    C :\cert_wsus
  • Save, Next, Finish
  • A message should be displayed ‘The export was successfull’
  • In IIS, right click on thr WSUS web site, then Properties / Directory Security / Secured Communications
  • Click on ‘Server certificate’, Next
  • Select ‘Process the pending request and install the certificate’, Next
  • Select the certificate file 
    C :\cert_wsus.cer
  • Next
  • Select the SSL port (defaut : 443)
  • Next, Next, Finish, OK
  • Now, for the folders :
    • ApiRemoting30,
    • ClientWebService,
    • DssAuthWebService,
    • ServerSyncWebService,
    • SimpleAuthWebService
  • Right click on the folder, Properties / Directory Security / Secured Communications and then ‘Edit’
  • Check the option ‘Require Secure Shannel (SSL)
  • OK, Apply, OK 
  • Open a dos prompt and type iisreset to restart the web service
  • Run the dos command 
    Cd c:\program files\update services\tools
    wsustuil configuressl WSUSSRV
    (Note : be carefull to uppercase and lowercase. In my case, I have first used lowercase for the server name which make the server appear twice in the WSUS console)
  • Open the WSUS console
  • Check that you can connect and see the server. Or, delete the server and add it again cheking the option to use SSL this time


  • Now, in the domain controller or the the registry for the server that are not in the Active Directory and are managed by script, change the url of the WSUS server to http://WSUSSERVER. Note that on your domain controller, this setting is managed by a GPO.
  • On the client computer, open a dos prompt and type
    To refresh the policy settings
  • Download and install the WSUS client diagnostic tool ‘clientdiag.exe’ and the execute it to check if all is correct (ref : http://technet.microsoft.com/en-us/wsus/bb466192.aspx)

Checkin certification installation

  • Start / Run / mmc and select the snap-in ‘Certificate’ for Local Machine
  • Check that in the ‘Personnal’ folder, the 2 cetificates (root and wsus) are present
  • Check that the root certificate is also listed in the Trusted Root Certification Authorities’ (You can do a copy paste if is not)
  • Open the root certificate by double click on it
  • In the Detail tab, click on ‘Copy to file’, Next
  • Select the format (Base-64 encoded x509 (DER)), Next
  • Select the name and path
    C :cert_root_wsussrv.cer
  • Save
  • Next, Finish. The message ‘The export was successfull’ should appear
  • Close the console

 Certificate installation on the client side

You can use a setting in AD Users and Computers to automatically push a certificate to your clients computers AND if you have configured your Certificate Service to be an Enterprise Root CA (so it will be integrated into the Active Directory). I will not cover this part now. I will assume that the certificat installation on the client computer will be done by hand. Of course, if you have under of PCs, doing it using AD Users and Comuters is more than recommanded.

 Do the folowing operations for any computers that will contact the WSUS server and any Server, computers where the WSUS console is installed. I will assume that you have copied the certificates on the C drive of each computer but you can put those files on a share in your network.

  • Start / Run / mmc, Select the snap in ‘Certificate’ for the local machine
  • In the Personnal / Certificate folder, right click / All tasks / Import
  • Next
  • Select the file 
  • Next
  • Select  ‘Place all certificate in the folowing store’ [Personnal]
  • Next, Next, Finish, OK
  • Do exactly the same process for the web certificate cert_wsus_wsussrv.cer
  • In the Trusted Root Certification Authorities / Certificate folder,  right click and All tasks / Import
  • Next
  • Select the file 
  • Select ‘Place all certificate in the folowing store’ [Trusted Root Certification Authorities]
  • Next, Next, Finish, OK
  • Close the console
  • Open the WSUS console to check if you can connect (in the case where this console in in another computer that the one where WSUS server is installed, like you desktop for example)

To check if you newly configured client can contact the server, remember to use in DOS:

wuauclt /detectnow

And then locate and open the file in C:\Windows\WindowsUpdate.log to see if all is correct.


Filed under: Uncategorized, , , , ,

3 Responses

  1. barriedan says:

    Thanks for posting the SSL info, I have one question, every time I get to Installing Approval, I get an error saying ASN1 bad tag value met. 0x8009310b (ASN: 267) I have gone through the steps 6 times I can’t see any problems. Now I’m not on a domanin I’m stand alone WSUS. The certreq file looks like this.
    myname-WSUS, “”, “”, “”, “”, “”, myname-WSUS\myname-WSUS, “”, myname-WSUS_myname-WSUS.crt, “”


  2. Romain Pelissier says:

    Hi barriedan,
    So you got the problem when you do the apporval on the server right? but the communication between the server and the client is ok or not? Just to know if the problem is on the server or the client side.
    Please post as much information as possible and I will try to help you with this.

  3. Romain Pelissier says:

    I have maybe not found the definitive answer to your issue, but you can try the following steps here (http://www.pcreview.co.uk/forums/thread-2443775.php) and if it works (or not) please leave a comment and I will try to help you more.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: