Solved

WSUS SSL-certificate Auto-enrollment via GPO

Posted on 2010-08-23
7
1,390 Views
Last Modified: 2013-12-04
Have installed WSUS3 SP2 on Server 2003 R2
Have installed and configured Certificate-Authority
Have created Root-certificate and WSUS-certificate
Have issued the WSUS-certificate on IIS and changed the Technet-mentioned folders to run
SSL.
It seems I have the chance to Auto-enroll the Root-certificate via GPO (Computer-Configuration, Windows settings, Security-settings, Public Key Policies, Trusted Root Certification Authorities); but I cant figure out where to place the WSUS-certificate in the GPO.

My question is how to auto-enroll the WSUS-certificate via GPO ?, or a good desription on how to Auto-enroll the SSL-certificates from the very Start?


0
Comment
Question by:olefisk
  • 3
  • 2
7 Comments
 
LVL 1

Expert Comment

by:gustav25
ID: 33501411
Hi,

why do you want to deploy the WSUS certificate to your clients?
If you have deployed your root certificate successfully and you issued your WSUS Cert from your root or subordinate CA your clients will trust the certificate.

Regards
0
 

Author Comment

by:olefisk
ID: 33505407
Hi gustav25

Thanks for Your prompt reply
I'm a total Rookie on CA and Certificates, but have to Implement it with WSUS for using a Third-Party Addon.
I have followed a nice Article concerning SSL and WSUS: http://slashhome.wordpress.com/2007/08/23/wsus-installation-with-ssl/
but this Article describes manul installation of the Certificates on the Clients, and not via AD and GPO.
Therefore I'm a little bit lost.
In the Article it is described that both Certificates have to be installed, and my Issue was then that AD also had to install both Certificates via the Auto-enroll.
But I'll take a look on the Clients the next days to see if it is working, and then come back with a Reply.
0
 
LVL 1

Expert Comment

by:gustav25
ID: 33508078
Hi,

I don´t really get the point what you want to achive.
If you followed the article you installed a stand-alone CA on your WSUS server.
I think this is quite a strange solution in an AD environment, but okay, if you don´t want to use your CA for other purposes it works.

Deploying a certificate with GPO is something different than autoenrollment. Autoenrollment means that a CA issues a certificate to a client or user (e.g. for smartcards) and a stand-alone CA can´t autoenroll certificates.

I think you want your clients to trust your WSUS server, don´t you? To achive this goal, use a GPO to install your Root-CA certificate in the clients Trusted Root Certification Authorities location. This is the point you mentioned in your first post.

Regards
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:olefisk
ID: 33510464
Hi
Thanks again gustav25!!

Yes I have succeded getting the Root-CA on the Clients, and created/installed the SSL Certificate for IIS, and it works fine when clients contacts WSUS.

I only want to achive to run WSUS with SSL in an AD-domain, where WSUS is running on a additional DC, and afterwards adding the Add-on.

Started with WSUS without SSL, but we which to use this nice application to install 3rd-party applications via WSUS:
https://sourceforge.net/projects/localupdatepubl/
and it is then needed to run WSUS with SSL.

So I tried to find some documentation on best practice setting up SSL with WSUS 3 SP2, but no succes, Exept the earlier mentioned Article, and got stocked on the part not distributing the certificates via a GPO.

Everything seems to go fine, until the "Local Update Publisher" (The app for installing 3rd-party app) has to Sign the Update, where the App needs to use a Certificate. It fails when trying to save the signed update in a folder.
0
 
LVL 1

Accepted Solution

by:
gustav25 earned 500 total points
ID: 33510627
Well then I think you rather have a problem with the cert for your App.
Every cert has attributes like Common Name and so on and it is also issued for a specific purpose e.g. WebServer.
But to sign code you need a cert which is issued to sign code and I think this can´t be done with a stand-alone CA, so you need an Enterprise CA.

But I don´t know this Application, so I don´t know if it really signs code.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 33999619
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question