As a result of investigating How to Configure the WSUS Web Site to Use SSL, we’ve uncovered a slight anomaly with the certificate requirements for an active Internet-based software update point. When the other Internet-based site systems (Internet-based management point and Internet-based distribution point) accept connections only from clients on the Internet, the native mode certificate requirement is that the Internet FQDN only is specified in the Web server certificate. However, the Internet-based software update point requires the intranet FQDN to be also specified in the certificate, even when clients on the intranet will not connect to it.
This requirement for the intranet FQDN in the certificate is because you must run the command WSUSUtil.exe configuressl <intranet FQDN of the software update point site system> when configuring the WSUS Web site to use SSL. If you specify the intranet FQDN with this command and the same FQDN is not included in the Web server certificate, the Internet-based software update point will not be able to connect with the active software update point on the intranet, and synchronization will fail.
In the next documentation update, this revision will be added to Certificate Requirements for Native Mode for the site system roles. In the meantime, if you have any questions about this, contact us through SMSDocs@Microsoft.com.
This posting is provided AS IS with no warranties and confers no rights.