Solved

WSUS SSL-certificate Auto-enrollment via GPO

Posted on 2010-08-23
7
1,392 Views
Last Modified: 2013-12-04
Have installed WSUS3 SP2 on Server 2003 R2
Have installed and configured Certificate-Authority
Have created Root-certificate and WSUS-certificate
Have issued the WSUS-certificate on IIS and changed the Technet-mentioned folders to run
SSL.
It seems I have the chance to Auto-enroll the Root-certificate via GPO (Computer-Configuration, Windows settings, Security-settings, Public Key Policies, Trusted Root Certification Authorities); but I cant figure out where to place the WSUS-certificate in the GPO.

My question is how to auto-enroll the WSUS-certificate via GPO ?, or a good desription on how to Auto-enroll the SSL-certificates from the very Start?


0
Comment
Question by:olefisk
  • 3
  • 2
7 Comments
 
LVL 1

Expert Comment

by:gustav25
ID: 33501411
Hi,

why do you want to deploy the WSUS certificate to your clients?
If you have deployed your root certificate successfully and you issued your WSUS Cert from your root or subordinate CA your clients will trust the certificate.

Regards
0
 

Author Comment

by:olefisk
ID: 33505407
Hi gustav25

Thanks for Your prompt reply
I'm a total Rookie on CA and Certificates, but have to Implement it with WSUS for using a Third-Party Addon.
I have followed a nice Article concerning SSL and WSUS: http://slashhome.wordpress.com/2007/08/23/wsus-installation-with-ssl/
but this Article describes manul installation of the Certificates on the Clients, and not via AD and GPO.
Therefore I'm a little bit lost.
In the Article it is described that both Certificates have to be installed, and my Issue was then that AD also had to install both Certificates via the Auto-enroll.
But I'll take a look on the Clients the next days to see if it is working, and then come back with a Reply.
0
 
LVL 1

Expert Comment

by:gustav25
ID: 33508078
Hi,

I don´t really get the point what you want to achive.
If you followed the article you installed a stand-alone CA on your WSUS server.
I think this is quite a strange solution in an AD environment, but okay, if you don´t want to use your CA for other purposes it works.

Deploying a certificate with GPO is something different than autoenrollment. Autoenrollment means that a CA issues a certificate to a client or user (e.g. for smartcards) and a stand-alone CA can´t autoenroll certificates.

I think you want your clients to trust your WSUS server, don´t you? To achive this goal, use a GPO to install your Root-CA certificate in the clients Trusted Root Certification Authorities location. This is the point you mentioned in your first post.

Regards
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:olefisk
ID: 33510464
Hi
Thanks again gustav25!!

Yes I have succeded getting the Root-CA on the Clients, and created/installed the SSL Certificate for IIS, and it works fine when clients contacts WSUS.

I only want to achive to run WSUS with SSL in an AD-domain, where WSUS is running on a additional DC, and afterwards adding the Add-on.

Started with WSUS without SSL, but we which to use this nice application to install 3rd-party applications via WSUS:
https://sourceforge.net/projects/localupdatepubl/
and it is then needed to run WSUS with SSL.

So I tried to find some documentation on best practice setting up SSL with WSUS 3 SP2, but no succes, Exept the earlier mentioned Article, and got stocked on the part not distributing the certificates via a GPO.

Everything seems to go fine, until the "Local Update Publisher" (The app for installing 3rd-party app) has to Sign the Update, where the App needs to use a Certificate. It fails when trying to save the signed update in a folder.
0
 
LVL 1

Accepted Solution

by:
gustav25 earned 500 total points
ID: 33510627
Well then I think you rather have a problem with the cert for your App.
Every cert has attributes like Common Name and so on and it is also issued for a specific purpose e.g. WebServer.
But to sign code you need a cert which is issued to sign code and I think this can´t be done with a stand-alone CA, so you need an Enterprise CA.

But I don´t know this Application, so I don´t know if it really signs code.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 33999619
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Active Directory - Error 8614 - Do all DC's need to replicate 5 87
How to restore security permissions on a file server 4 66
Work with App store 7 71
is this a virus? 3 59
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question