I'm working on setting up SSL on our WSUS server using a self signed certificate, but I'm running into trouble. Specifially, after running selfssl /n:CN=server.domain.local /t /v:365, and ensuring that Require Client Certificates is selected in the following directories:
- SimpleAuthWebService
- ServerSyncWebService
- DssAuthWebService
- ClientWebService
- APIRemoting30
I am receiving Event 120[2-5]2 upon running wsusutil.exe checkhealth. Basically, each of the directories I require the certificate on fails to work. What am I missing?
"Require client certificates" isn't requiring SSL, it's requiring the client to have a certificate itself in order to authenticate to the server. You then need IIS certificate mapping, or AD certificate mapping in order for the client to authenticate successfully. Which I'm guessing isn't the case here.
Plus, using a self-signed certificate is going to require that cert to be trusted by all the clients (i.e. installed into the trusted root CAs store).
Set it instead to require SSL, and Ignore client certificates, and all should be fine.
Don't worry about those health-checks. WSUS is basically "pinging" itself and that self-testing functionality handles neither WSUS hosted at a virtual hostname (wsus.server.domain.local) nor WSUS hosted on SSL ports (https://server.domain.local). I've had WSUS running in an SSL-only configuration for a year without issue; aside from those events in the application log.
Try configuring a couple clients for WSUS and monitoring the configuration and let me know if you run into an issue.