Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

WSUS SSL-certificate Auto-enrollment via GPO

Posted on 2010-08-23
7
Medium Priority
?
1,427 Views
Last Modified: 2013-12-04
Have installed WSUS3 SP2 on Server 2003 R2
Have installed and configured Certificate-Authority
Have created Root-certificate and WSUS-certificate
Have issued the WSUS-certificate on IIS and changed the Technet-mentioned folders to run
SSL.
It seems I have the chance to Auto-enroll the Root-certificate via GPO (Computer-Configuration, Windows settings, Security-settings, Public Key Policies, Trusted Root Certification Authorities); but I cant figure out where to place the WSUS-certificate in the GPO.

My question is how to auto-enroll the WSUS-certificate via GPO ?, or a good desription on how to Auto-enroll the SSL-certificates from the very Start?


0
Comment
Question by:olefisk
  • 3
  • 2
7 Comments
 
LVL 1

Expert Comment

by:gustav25
ID: 33501411
Hi,

why do you want to deploy the WSUS certificate to your clients?
If you have deployed your root certificate successfully and you issued your WSUS Cert from your root or subordinate CA your clients will trust the certificate.

Regards
0
 

Author Comment

by:olefisk
ID: 33505407
Hi gustav25

Thanks for Your prompt reply
I'm a total Rookie on CA and Certificates, but have to Implement it with WSUS for using a Third-Party Addon.
I have followed a nice Article concerning SSL and WSUS: http://slashhome.wordpress.com/2007/08/23/wsus-installation-with-ssl/
but this Article describes manul installation of the Certificates on the Clients, and not via AD and GPO.
Therefore I'm a little bit lost.
In the Article it is described that both Certificates have to be installed, and my Issue was then that AD also had to install both Certificates via the Auto-enroll.
But I'll take a look on the Clients the next days to see if it is working, and then come back with a Reply.
0
 
LVL 1

Expert Comment

by:gustav25
ID: 33508078
Hi,

I don´t really get the point what you want to achive.
If you followed the article you installed a stand-alone CA on your WSUS server.
I think this is quite a strange solution in an AD environment, but okay, if you don´t want to use your CA for other purposes it works.

Deploying a certificate with GPO is something different than autoenrollment. Autoenrollment means that a CA issues a certificate to a client or user (e.g. for smartcards) and a stand-alone CA can´t autoenroll certificates.

I think you want your clients to trust your WSUS server, don´t you? To achive this goal, use a GPO to install your Root-CA certificate in the clients Trusted Root Certification Authorities location. This is the point you mentioned in your first post.

Regards
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 

Author Comment

by:olefisk
ID: 33510464
Hi
Thanks again gustav25!!

Yes I have succeded getting the Root-CA on the Clients, and created/installed the SSL Certificate for IIS, and it works fine when clients contacts WSUS.

I only want to achive to run WSUS with SSL in an AD-domain, where WSUS is running on a additional DC, and afterwards adding the Add-on.

Started with WSUS without SSL, but we which to use this nice application to install 3rd-party applications via WSUS:
https://sourceforge.net/projects/localupdatepubl/
and it is then needed to run WSUS with SSL.

So I tried to find some documentation on best practice setting up SSL with WSUS 3 SP2, but no succes, Exept the earlier mentioned Article, and got stocked on the part not distributing the certificates via a GPO.

Everything seems to go fine, until the "Local Update Publisher" (The app for installing 3rd-party app) has to Sign the Update, where the App needs to use a Certificate. It fails when trying to save the signed update in a folder.
0
 
LVL 1

Accepted Solution

by:
gustav25 earned 2000 total points
ID: 33510627
Well then I think you rather have a problem with the cert for your App.
Every cert has attributes like Common Name and so on and it is also issued for a specific purpose e.g. WebServer.
But to sign code you need a cert which is issued to sign code and I think this can´t be done with a stand-alone CA, so you need an Enterprise CA.

But I don´t know this Application, so I don´t know if it really signs code.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 33999619
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Screencast - Getting to Know the Pipeline

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question