Purpose
If you have created your code signing certificate using an internal CA, the Shavlik Patch plugin gives you the ability to import this certificate via the Shavlik Patch Settings on the WSUS Server tab. However, to be able to use the import function it is required to have an SSL connection to the WSUS server. As part of the SSL configuration, another type of Server certificate, a SSL Server Certificate, is required for the secure communication between the SCCM and the WSUS servers. This document is meant to provide some details about how to create a self signed SSL certificate and configure IIS to use SSL on your WSUS server for use with Shavlik Patch for Microsoft System Center.
Shavlik does not provide support for Microsoft products such as Configuration Manager, WSUS, or IIS. If you face trouble in setting up these prerequisites to installing the Shavlik Patch plugin it would be best to work directly with Microsoft support.
Description
The steps below show how to configure IIS on the WSUS Server to use SSL. You will need to have the IIS role and functionality working prior to performing these steps. This documentation was created using a Windows Server 2012 R2 environment.
1) Ensure that Server Manager is opened (run as administrator), and click Tools > Internet Information Services (IIS) Manager.
2) Click the server node in the Connections tree. Double-click "Server Certificates".
3) Click "Create Self-Signed Certificate...".
4) Fill in the edit field “Specify a friendly name for the certificate”. Select the “Web Hosting” certificate store. Click OK.
5) Click “WSUS Administration” in the Connections tree.
6) Click “Bindings…” in the Actions column.
7) Click “https 8531”. Click “Edit…”.
8) Select the SSL certificate you just created in the dropdown box. Click “View…”.
9) Note the FQDN of the “Issued to” server. Click OK.
10) Enter FQDN host name you remembered from the Certificate window. Click OK.
11) Click Close.
12) Expand “WSUS Administration” in the Connections tree. Click on ClientWebService. Double-click “SSL Settings”.
13) Click the checkbox “Require SSL”. Click Apply.
14) Repeat the last two steps for “DssAuthWebService”, “ServerSyncWebService”, and “SimpleAuthWebService”. Close Internet Information Services (IIS) Manager.
15) Start a command prompt in Administrator mode. Change directory to C:\Program Files\Update Services\Tools. Run WsusUtil.exe configuressl <FQDN>. Make sure you get a similar URL response as shown. Close the command prompt.
16) Now you need to export the certificate. Run MMC in Administrator mode. Click File->Add/Remote Snap-in…
17) Click Certificates. Click Add.
18) Click the radio button “Computer account”. Click Next.
19) Click Finish.
20) Click OK.
21) Expand the Certificates (Local Computer) \ Trusted Root Certification Authorities and click on Certificates. Right-click on the certificate that matches the FQDN of this server. Click All Tasks > Export…
22) Once you export the certificate, you will need to copy the certificate to your SCCM system(s) that will need to connect to the WSUS server, and ensure it this certificate is imported to the Trusted Root Certification Authorities > Certificates on any of those systems.
23) Once this is configured you should then be able to connect using SSL via the Shavlik Patch plugin settings. If you have the Shavlik Patch plugin installed in SCCM, go to Software Library > Software Updates > right click on 'Shavlik Patch', then choose Settings.
24) Go to the WSUS Server tab. You can now choose Port 8531 and check the box for 'Use Secure Sockets Layer (SSL) to connect to this server. Test the connection, and then click the 'Import' button to import your code-signing certificate.
Additional Information
For more information refer to the following resources:
Technet - Secure the WSUS 3.0 SP2 Deployment
Microsoft's documentation on System Center 2012 at http://technet.microsoft.com/en-us/library/hh546785.aspx
Shavlik Patch for Microsoft System Center Documentation
Affected Product(s)
Shavlik Patch for Microsoft System Center
(Formerly Shavlik SCUPdates)