Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

WSUS SSL-certificate Auto-enrollment via GPO

Posted on 2010-08-23
7
Medium Priority
?
1,413 Views
Last Modified: 2013-12-04
Have installed WSUS3 SP2 on Server 2003 R2
Have installed and configured Certificate-Authority
Have created Root-certificate and WSUS-certificate
Have issued the WSUS-certificate on IIS and changed the Technet-mentioned folders to run
SSL.
It seems I have the chance to Auto-enroll the Root-certificate via GPO (Computer-Configuration, Windows settings, Security-settings, Public Key Policies, Trusted Root Certification Authorities); but I cant figure out where to place the WSUS-certificate in the GPO.

My question is how to auto-enroll the WSUS-certificate via GPO ?, or a good desription on how to Auto-enroll the SSL-certificates from the very Start?


0
Comment
Question by:olefisk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 1

Expert Comment

by:gustav25
ID: 33501411
Hi,

why do you want to deploy the WSUS certificate to your clients?
If you have deployed your root certificate successfully and you issued your WSUS Cert from your root or subordinate CA your clients will trust the certificate.

Regards
0
 

Author Comment

by:olefisk
ID: 33505407
Hi gustav25

Thanks for Your prompt reply
I'm a total Rookie on CA and Certificates, but have to Implement it with WSUS for using a Third-Party Addon.
I have followed a nice Article concerning SSL and WSUS: http://slashhome.wordpress.com/2007/08/23/wsus-installation-with-ssl/
but this Article describes manul installation of the Certificates on the Clients, and not via AD and GPO.
Therefore I'm a little bit lost.
In the Article it is described that both Certificates have to be installed, and my Issue was then that AD also had to install both Certificates via the Auto-enroll.
But I'll take a look on the Clients the next days to see if it is working, and then come back with a Reply.
0
 
LVL 1

Expert Comment

by:gustav25
ID: 33508078
Hi,

I don´t really get the point what you want to achive.
If you followed the article you installed a stand-alone CA on your WSUS server.
I think this is quite a strange solution in an AD environment, but okay, if you don´t want to use your CA for other purposes it works.

Deploying a certificate with GPO is something different than autoenrollment. Autoenrollment means that a CA issues a certificate to a client or user (e.g. for smartcards) and a stand-alone CA can´t autoenroll certificates.

I think you want your clients to trust your WSUS server, don´t you? To achive this goal, use a GPO to install your Root-CA certificate in the clients Trusted Root Certification Authorities location. This is the point you mentioned in your first post.

Regards
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 

Author Comment

by:olefisk
ID: 33510464
Hi
Thanks again gustav25!!

Yes I have succeded getting the Root-CA on the Clients, and created/installed the SSL Certificate for IIS, and it works fine when clients contacts WSUS.

I only want to achive to run WSUS with SSL in an AD-domain, where WSUS is running on a additional DC, and afterwards adding the Add-on.

Started with WSUS without SSL, but we which to use this nice application to install 3rd-party applications via WSUS:
https://sourceforge.net/projects/localupdatepubl/
and it is then needed to run WSUS with SSL.

So I tried to find some documentation on best practice setting up SSL with WSUS 3 SP2, but no succes, Exept the earlier mentioned Article, and got stocked on the part not distributing the certificates via a GPO.

Everything seems to go fine, until the "Local Update Publisher" (The app for installing 3rd-party app) has to Sign the Update, where the App needs to use a Certificate. It fails when trying to save the signed update in a folder.
0
 
LVL 1

Accepted Solution

by:
gustav25 earned 2000 total points
ID: 33510627
Well then I think you rather have a problem with the cert for your App.
Every cert has attributes like Common Name and so on and it is also issued for a specific purpose e.g. WebServer.
But to sign code you need a cert which is issued to sign code and I think this can´t be done with a stand-alone CA, so you need an Enterprise CA.

But I don´t know this Application, so I don´t know if it really signs code.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 33999619
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question