When the Configuration Manager 2007 site server is in native mode or when the active software update point is configured to use Secure Sockets Layer (SSL), and when a custom Web site is used to host the Microsoft Windows Server Update Services (WSUS) 3.0 services, you must configure the WSUS Administration Web site to use a Web server signing certificate.

Note
Configuration Manager 2007 Service Pack 1 (SP1) requires WSUS 3.0 SP1 or WSUS 3.0 Service Pack 2 (SP2). WSUS 3.0 SP2 is required to support Configuration Manager 2007 SP2 software update management for the Windows 7 and Windows Server 2008 R2 operating systems.

After it is configured, the certificate is added to the Trusted Root Certification Authorities store on the local computer. This procedure steps through the process of using the same certificate that is used by the Configuration Manager site systems for authentication and encryption when the site is in native mode, but you can use a different Web server signing certificate as long as the certificate is added to the WSUS Administration Web site and that the certificate resides in the Trusted Root Certification Authorities store on client computers. The Web server certificate can be installed on the Web site by using a script or the Internet Information Services (IIS) Manager console.

Important
The WSUS Administration Web site must be assigned a signing certificate where the Subject Name or Subject Alternate Name contains the Internet fully qualified domain name (FQDN).

Use one of the following procedures to add the Web server signing certificate to the WSUS Web site using IIS.

To add the signing certificate to the WSUS Web site in IIS 6.0

  1. On the WSUS server, open Internet Information Services (IIS) Manager.

  2. Expand Web Sites, right-click the WSUS Administration Web site, and then click Properties.

  3. Click the Directory Security tab, and then click Server Certificate.

  4. On the Welcome to the Web Server Certificate Wizard page, click Next.

  5. On the Server Certificate page, click Assign an existing certificate, and then click Next.

  6. On the Available Certificates page, select the Web server certificate that was requested when configuring the site for native mode. You can identify the certificate by the Intended Purpose field that has a value of Server Authentication and the Friendly Name that was configured when requesting the certificate. Click Next.

    Note
    The site server will use either the default Web site or a Configuration Manager custom Web site (SMSWeb), depending on how the site was configured. To find the certificate used by the other site systems, view the certificate by going to the Web site properties, and then click View Certificate on the Directory Security tab. Use this certificate when selecting certificates for the WSUS Web page.
  7. On the SSL Port page, configure the port number for SSL (HTTP). When using the WSUS custom Web site, the default SSL port number is 8531. For the step-by-step procedures on how to find the port number, see How to Determine the Port Settings Used by WSUS. Click Next.

  8. On the Certificate Summary page, click Next.

  9. On the Completing the Web Server Certificate Wizard page, click Finish.

  10. Click OK to close the properties for the Web site.

  11. Close IIS Manager.

To add the signing certificate to the WSUS Web site in IIS 7.0

  1. On the WSUS server, open Internet Information Services (IIS) Manager.

  2. Expand Sites, right-click the WSUS Web site, and then click Edit Bindings.

  3. In the Site Binding dialog box, select the https binding, and click Edit to open the Edit Site Binding dialog box.

  4. Select the appropriate Web server certificate in the SSL certificate box, and then click OK.

  5. Click Close to exit the Site Bindings dialog box, and then click OK to close Internet Information Services (IIS) Manager.

See Also