3 Replies Latest reply on Feb 7, 2013 4:50 PM by Lawrence Garvin

    Using an externally generated Certificate for clients and servers

    dkeyser

      Can we use a Cert that was generated by another Authority with WSUS and all necessary servers? If so what is the required parameters for generating this cert?

        • Re: Using an externally generated Certificate for clients and servers
          Lawrence Garvin

          Yes you can.

          There are two things to note about using an external certificate.

           

          1. The certificate must be a code-signing certificate issued to the WSUS server.

          2. The certificate will need to be imported using a command line tool we have developed for that purpose. To get the command line tool, you'll need to open a ticket via the Customer Portal and request the tool.

          • Re: Using an externally generated Certificate for clients and servers
            dkeyser

            thank you for this info. I found something else on the forums but it says I'd need a CA. Was hoping we could do this another way.

              • Re: Using an externally generated Certificate for clients and servers
                Lawrence Garvin

                There are three potential sources from which you can get a publishing certificate:

                 

                1. A self-signed certificate created by the WSUS server. (The WSUS server is its own Certificate Authority.)

                2. A certificate created from an internal PKI known as an Enterprise Certificate Authority -- such as with Microsoft Active Directory Certificate Services

                3. A certificate created from an external Certificate Authority. This scenario does not require that you have an internal CA, but it does require that the external CA is trusted by all of your WSUS clients.

                 

                The question to be asked is whether any significant advantage is achieved by paying for an external certificate, or getting a free one, over simply creating one from the WSUS server itself.

                 

                Perhaps the most notable risk would be for mobile systems, which could conceivably be spoofed into downloading updates from a rogue WSUS server on the outside pretending to be your internal WSUS server. But, then, it's also important to recognize the level of effort it would take to achieve such an objective. First, somebody would have to hijack the DNS for the organizational domain name (and this also assumes that the external domain is the same as the public-facing domain). If a client is configured with http://wsusServer as it's WSUS server URL, it's going to attempt to resolve that hostname within the list of DNS Search Suffixes defined for that client. Ideally, none of those suffixes are available on the Internet, so DNS resolution for the WSUS server would simply fail. Problem gone.

                 

                But, in cases where the internal and external domain names are the same, the hostname could resolve to an IP Address -- presuming that hostname is configured in the external DNS. In most cases it won't be (shouldn't be!), and attempting to resolve that hostname fails, and the client never attempts a connection.

                 

                Only if a rogue entity were to hijack the entire external DNS domain would it be conceivable that the client system could find a WSUS server of the presumed correct identity. In this scenario, a self-signed certificate could be spoofed.

                 

                So the question, it seems to me is this: Is the risk of the above happening worth the expense of maintaining a paid-for external code-signing certificate just to deploy third-party updates? That's a business question to be answered, not a technology question. :-)