WSUS Support Forums: SSL setup? - WSUS Support Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

SSL setup?

#1 User is offline   scerazy 

  • Newbie
  • Pip
  • Group: New Members
  • Posts: 1
  • Joined: 27-Jun-08

Posted 27 Jun 2008, 02:05

I have commercial wildcard certificate installed on IIS what is used for WSUS 3 SP1
The site gives the correct certificate, also other sites work OK on same IIS server

Yet the WSUS MMC (run from remote workstation or even from same server that WSUS is on) gives:

The Secure Socket Layer (SSL) certificate for this server could not be validated

How to setup WSUS3 SP1 to connect via https



#2 User is offline   DavidGayler 

  • Member
  • PipPip
  • Group: Regular Members
  • Posts: 37
  • Joined: 30-Mar-07

Posted 30 Jun 2008, 05:26

Check that the name that you are using to connect to the WSUS server ( matches the cert name. If they dont match the cert, you can get this error.

#3 User is offline   mdzikowski 

  • Newbie
  • Pip
  • Group: Regular Members
  • Posts: 3
  • Joined: 30-Jun-08

Posted 30 Jun 2008, 06:26

Also, make sure you have WSUS administration site correctly setup for SSL.

Configuring SSL on the WSUS Server

The most important thing to remember when configuring the WSUS server to use SSL is that WSUS requires two ports in this configuration: one for encrypting metadata with HTTPS and one for clear HTTP. When you configure IIS to use the certificate, keep the following points in mind:

You cannot set up the entire WSUS Web site to require SSL. This would mean that all traffic to the WSUS site would have to be encrypted, but WSUS only encrypts metadata traffic. When a client computer or another WSUS server attempted to get update files from WSUS, the transfer would fail because there is no way for WSUS to distribute the file by using plain HTTP.

To keep WSUS Web site as secure as possible, only require SSL for the following virtual roots:






To keep WSUS functioning, you should not require SSL for the following virtual roots:




The certificate on downstream WSUS servers has to be imported into either the Local Computer's Trusted Root CA store or Windows Server Update Service's Trusted Root CA store. If the certificate is only imported to the Local User's Trusted Root CA store, the downstream WSUS server will fail server authentication on the upstream server.

You can use any port you like when you configure IIS to use SSL. However, the port you set up for SSL determines the port that WSUS uses for clear HTTP. Consider the following examples:

If you use the industry standard port of 443 for HTTPS traffic, then WSUS uses port 80 for clear HTTP traffic, which is the industry standard for HTTP.

If you use any other port for HTTPS traffic, WSUS assumes the clear HTTP traffic should be sent over the port that numerically precedes the port for HTTPS. For example, if you use port 8531 for HTTPS, WSUS uses 8530 for HTTP.


If you change the port number or want to use HTTPS to access the WSUS administration console, you have to create a new shortcut on your Start menu with the new URL in order to access the WSUS administration console from the Start menu. See Help and Support in Windows Server 2003 for information about creating shortcuts.
Sample SSL URLs to Access WSUS Administrative Console

This section includes sample URLs to use for accessing the WSUS administrative console when you have configured WSUS to use SSL.
Accessing WSUS Administrative Console by Using Industry Standard Port Assignments for SSL

If you were to install WSUS to the default site, and then set up SSL to use industry standard port assignments, you would use the following URL to access the WSUS administrative console over a secure connection:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users