Clarifying: How to Configure the WSUS Web Site to Use SSL

It’s recently come to our notice from the forums that we need to clarify the WSUSUtil.exe configuressl command that’s run when configuring the WSUS Web site to use SSL. Although this topic was updated for the August 2008 documentation update to include instructions for IIS 7.0, the instructions for running the command are WSUSUtil.exe configuressl < subject name in the signing certificate > . This should more accurately say WSUSUtil.exe configuressl < intranet FQDN of the software update point site system >. ****

Update October 6th 2008: If you are running an NLB software update point, the WSUSUtil.exe configuressl command must be run on each node, using the intranet FQDN of the respective software update point site system - and not the FQDN of the NLB software update point.

The instructions were written on the assumption that the intranet FQDN would be in the Web server certificate Subject – whereas they might be in the certificate SAN. This came to light because of the certificate requirements section in the ISA article How to Configure ISA SSL Bridging for System Center Configuration Manager Internet-Based Client Management:

When the site system accepts connections from intranet clients as well as from Internet clients, the certificate Subject name must contain the site system’s configured Internet FQDN, and the certificate Subject Alternative Name (SAN) must contain both the Internet FQDN and the intranet server name. When you are using a SAN, ensure that the Internet FQDN is specified as the Subject name and also as the first Subject Alternative Name (SAN) entry.

In this scenario, the Web server certificate for the software update point contains the Internet FQDN in the certificate Subject and in the first SAN entry, and the intranet FQDN appears as the second SAN entry. Following the instructions in our documentation, the question on the forums was whether the WSUSUtil.exe configuressl command for this scenario should specify the Internet FQDN – and the answer is no. You should always specify the intranet FQDN with this command and the documentation will be updated accordingly.

Thanks to our testers for clarifying this (Adam Meltzer) and verifying (Eric Mattoon).

- Carol

This posting is provided AS IS with no warranties and confers no rights.