Solved

WSUS SSL-certificate Auto-enrollment via GPO

Posted on 2010-08-23
7
1,407 Views
Last Modified: 2013-12-04
Have installed WSUS3 SP2 on Server 2003 R2
Have installed and configured Certificate-Authority
Have created Root-certificate and WSUS-certificate
Have issued the WSUS-certificate on IIS and changed the Technet-mentioned folders to run
SSL.
It seems I have the chance to Auto-enroll the Root-certificate via GPO (Computer-Configuration, Windows settings, Security-settings, Public Key Policies, Trusted Root Certification Authorities); but I cant figure out where to place the WSUS-certificate in the GPO.

My question is how to auto-enroll the WSUS-certificate via GPO ?, or a good desription on how to Auto-enroll the SSL-certificates from the very Start?


0
Comment
Question by:olefisk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 1

Expert Comment

by:gustav25
ID: 33501411
Hi,

why do you want to deploy the WSUS certificate to your clients?
If you have deployed your root certificate successfully and you issued your WSUS Cert from your root or subordinate CA your clients will trust the certificate.

Regards
0
 

Author Comment

by:olefisk
ID: 33505407
Hi gustav25

Thanks for Your prompt reply
I'm a total Rookie on CA and Certificates, but have to Implement it with WSUS for using a Third-Party Addon.
I have followed a nice Article concerning SSL and WSUS: http://slashhome.wordpress.com/2007/08/23/wsus-installation-with-ssl/
but this Article describes manul installation of the Certificates on the Clients, and not via AD and GPO.
Therefore I'm a little bit lost.
In the Article it is described that both Certificates have to be installed, and my Issue was then that AD also had to install both Certificates via the Auto-enroll.
But I'll take a look on the Clients the next days to see if it is working, and then come back with a Reply.
0
 
LVL 1

Expert Comment

by:gustav25
ID: 33508078
Hi,

I don´t really get the point what you want to achive.
If you followed the article you installed a stand-alone CA on your WSUS server.
I think this is quite a strange solution in an AD environment, but okay, if you don´t want to use your CA for other purposes it works.

Deploying a certificate with GPO is something different than autoenrollment. Autoenrollment means that a CA issues a certificate to a client or user (e.g. for smartcards) and a stand-alone CA can´t autoenroll certificates.

I think you want your clients to trust your WSUS server, don´t you? To achive this goal, use a GPO to install your Root-CA certificate in the clients Trusted Root Certification Authorities location. This is the point you mentioned in your first post.

Regards
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:olefisk
ID: 33510464
Hi
Thanks again gustav25!!

Yes I have succeded getting the Root-CA on the Clients, and created/installed the SSL Certificate for IIS, and it works fine when clients contacts WSUS.

I only want to achive to run WSUS with SSL in an AD-domain, where WSUS is running on a additional DC, and afterwards adding the Add-on.

Started with WSUS without SSL, but we which to use this nice application to install 3rd-party applications via WSUS:
https://sourceforge.net/projects/localupdatepubl/
and it is then needed to run WSUS with SSL.

So I tried to find some documentation on best practice setting up SSL with WSUS 3 SP2, but no succes, Exept the earlier mentioned Article, and got stocked on the part not distributing the certificates via a GPO.

Everything seems to go fine, until the "Local Update Publisher" (The app for installing 3rd-party app) has to Sign the Update, where the App needs to use a Certificate. It fails when trying to save the signed update in a folder.
0
 
LVL 1

Accepted Solution

by:
gustav25 earned 500 total points
ID: 33510627
Well then I think you rather have a problem with the cert for your App.
Every cert has attributes like Common Name and so on and it is also issued for a specific purpose e.g. WebServer.
But to sign code you need a cert which is issued to sign code and I think this can´t be done with a stand-alone CA, so you need an Enterprise CA.

But I don´t know this Application, so I don´t know if it really signs code.
0
 
LVL 27

Expert Comment

by:Rainer Meller
ID: 33999619
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question