Bhavin78
IS-IT--Management
- Oct 26, 2004
- 320
Is it possible to use SSL built into windows to create certificate for free with WSUS server?
any good article on how to?
any good article on how to?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
SSL for WSUS
- Thread starter Bhavin78
- Start date
- Status
monsterjta
IS-IT--Management
Download the IIS resource kit, and use SelfSSL.
Hope This Helps,
Good Luck!
Hope This Helps,
Good Luck!
- Thread starter
- #3
monsterjta
IS-IT--Management
Because that's where would get the SelfSSL tool. This is how you're going to generate a certificate for your server. Otherwise, setup a Cerificate Authority in Windows or buy one from a vendor.
Hope This Helps,
Good Luck!
Hope This Helps,
Good Luck!
Run Certificate services from a 2003 server in your domain. This is ofcourse if you do not have one. The CA for your domain can issue certificates easily with the web-enrollment tool.
A few questions:
1) Do you have a domain?
2) Would the CA server be in the same domain as the clients using WSUS?
If so, this would be a breeze with certificate services. You can either create a certificate request and send it to the CA or simply create a request directly in the web-enrollment process.
The CA services do not require hardly any resources, it just needs to stay up.
A few questions:
1) Do you have a domain?
2) Would the CA server be in the same domain as the clients using WSUS?
If so, this would be a breeze with certificate services. You can either create a certificate request and send it to the CA or simply create a request directly in the web-enrollment process.
The CA services do not require hardly any resources, it just needs to stay up.
- Thread starter
- #6
Bhavin78
IS-IT--Management
- Oct 26, 2004
- 320
djtech2k,
Are we talking about AD domain or domain name for website?
Yes, we run AD domain.
I dont have any CA server I will be installing windows CA on WSUS Server?
MonsterJTA,
I dont know anything about SelfSSL tool, I will try to do some research and figure out which option is best, safe and easy to configure?
Let me know if you have any good step by step artilce.
Are we talking about AD domain or domain name for website?
Yes, we run AD domain.
I dont have any CA server I will be installing windows CA on WSUS Server?
MonsterJTA,
I dont know anything about SelfSSL tool, I will try to do some research and figure out which option is best, safe and easy to configure?
Let me know if you have any good step by step artilce.
I am talking about an AD Domain. This WSUS is meant for your intranet machiens right?
My strategy was meant for any internal application on your intranet.
You can install your CA anywhere, but I see most people doing it on a member server and not an IIS server. I do not know if there are any problems with it, but it seems to be a best practice. For very small environments sometimes it cannot be helped.
Anyway, that strategy will work very well and the ie clients will not need to download any certs for the communication because your root CA will automatically be trusted/installed on every domain member.
My strategy was meant for any internal application on your intranet.
You can install your CA anywhere, but I see most people doing it on a member server and not an IIS server. I do not know if there are any problems with it, but it seems to be a best practice. For very small environments sometimes it cannot be helped.
Anyway, that strategy will work very well and the ie clients will not need to download any certs for the communication because your root CA will automatically be trusted/installed on every domain member.
monsterjta
IS-IT--Management
Download IIS Resource Kit here:
It contains SelfSSL. Extract/install it on your server.
The syntax is easy and straight-forward, as follows:
selfssl /n:cn=<servername> /v:365
This will apply the cert to the server, using 1024 encryption, for 1 year.
This is the quickest and easiest way to generate a SSL cert for private use on a single server instance. I wouldn't even bother with setting up a CA, unless I were plan on managing multiple certs within a domain.
Hope This Helps,
Good Luck!
It contains SelfSSL. Extract/install it on your server.
The syntax is easy and straight-forward, as follows:
selfssl /n:cn=<servername> /v:365
This will apply the cert to the server, using 1024 encryption, for 1 year.
This is the quickest and easiest way to generate a SSL cert for private use on a single server instance. I wouldn't even bother with setting up a CA, unless I were plan on managing multiple certs within a domain.
Hope This Helps,
Good Luck!
- Thread starter
- #9
As I understand though, when you use a self cert, all your clients will be prompted to install the cert via the browser.
Using a CA with a cert is the correct way to do it to ensure that you will not have to deal with it later. IMO self-certs are ok for development, but not production.
Using a CA with a cert is the correct way to do it to ensure that you will not have to deal with it later. IMO self-certs are ok for development, but not production.
monsterjta
IS-IT--Management
bhavin, you'll need to renew it just like with any other cert. However, you can make if for...say, 1450...for 4 years.
djtech2k, couldn't one just add the WSUS server as a trusted site in a policy?
Either way, there's a couple options. Both will give you the encryption you require.
Hope This Helps,
Good Luck!
djtech2k, couldn't one just add the WSUS server as a trusted site in a policy?
Either way, there's a couple options. Both will give you the encryption you require.
Hope This Helps,
Good Luck!
- Thread starter
- #12
Bhavin78
IS-IT--Management
- Oct 26, 2004
- 320
I installed and configured selfssl kit. Now when I try to open WSUSadmin from other computer it prompts me for the user name and password?
monsterjta,
what trusted site in a policy I add WSUS server?
what's going to happen when server and other computers contacts WSUS for the updates, the data between them will be encrypted,right? How is it gonig to validate the certificate? Right now I have to click yes and enter username/password to access wsusAdmin page.
djtech2k,
I will try windows CA if the above does not work as expected. do you have any step by step article for ssl on wsus server using windows CA
monsterjta,
what trusted site in a policy I add WSUS server?
what's going to happen when server and other computers contacts WSUS for the updates, the data between them will be encrypted,right? How is it gonig to validate the certificate? Right now I have to click yes and enter username/password to access wsusAdmin page.
djtech2k,
I will try windows CA if the above does not work as expected. do you have any step by step article for ssl on wsus server using windows CA
- Thread starter
- #13
Bhavin78
IS-IT--Management
- Oct 26, 2004
- 320
I installed and configured selfssl kit. Now when I try to open WSUSadmin from other computer it prompts me for the user name and password?
monsterjta,
what trusted site in a policy I add WSUS server?
what's going to happen when server and other computers contacts WSUS for the updates, the data between them will be encrypted,right? How is it gonig to validate the certificate? Right now I have to click yes and enter username/password to access wsusAdmin page.
djtech2k,
I will try windows CA if the above does not work as expected. do you have any step by step article for ssl on wsus server using windows CA
After configuring ssl I get the below error I took off ssl and its normal now.
One or more Update Service components could not be contacted. Check your server status and ensure that the Windows Server Update Service is running.
Non-running services: SelfUpdate
monsterjta,
what trusted site in a policy I add WSUS server?
what's going to happen when server and other computers contacts WSUS for the updates, the data between them will be encrypted,right? How is it gonig to validate the certificate? Right now I have to click yes and enter username/password to access wsusAdmin page.
djtech2k,
I will try windows CA if the above does not work as expected. do you have any step by step article for ssl on wsus server using windows CA
After configuring ssl I get the below error I took off ssl and its normal now.
One or more Update Service components could not be contacted. Check your server status and ensure that the Windows Server Update Service is running.
Non-running services: SelfUpdate
I do not have a step-by-step offhand, but it is relatively straight forward. If you install the services with the web-enrollment tool, you should be able to simply apply for the certificate thru the panel like this:
That way you can feed in a cert request or fill it out. If you have problems with an error message about not being able to find any "templates", then there's an easy write-up on microsoft about how to grant the permissions in AD. Its an easy fix if you have the problem.
Otherwise, you get the cert in seconds.
That way you can feed in a cert request or fill it out. If you have problems with an error message about not being able to find any "templates", then there's an easy write-up on microsoft about how to grant the permissions in AD. Its an easy fix if you have the problem.
Otherwise, you get the cert in seconds.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question