WSUS client updates fail with error 80072F8F after configuring a self-signed certificate in IIS
Here's a cool tip that was sent to me by Joao Madureira, a Support Escalation Engineer in our WSUS group. If you want to use a self-signed cert in IIS7 for your WSUS clients then you'll want to take a look at this one:
Issue: After installing WSUS on a Windows 2008 server and enabling SSL using a self-signed certificate in IIS 7, the client machines may stop reporting with error 80072F8F.
Cause: The self-signed certificate used by IIS7 is not trusted in the domain.
More Information: IIS7 allows you to create it's own self-signed certificate instead of using a standalone certificate authority or domain certificate. In this case , after creating the certificate it's necessary to tell the client machines that the self-signed
certificate is trusted in the domain.
Resolution: In order to allow the certificate to be trusted, you need to import the self-signed certificate to the domain trusted root certificate authority to allow the clients to use and trust the new cert.
A. Creating the self-signed certificate on IIS7:
- Open IIS7 , click on server name > server certificates> create self-signed certificate.
- For the friendly name, type the FQDN for the WSUS server.
- Right click on the certificate and choose export.
- Choose a path and password > confirm the password.
B. Copy the .PFX file created with the export task to a Domain Controller.
C. Open the Group Policy Management Console and create a GPO for the certificate.
D. Go to computer configuration > Windows settings > security settings > public key policies> trusted root certification authority> right click and import.
E. Browse to the location where you copied the .PFX file and change the file type to personal information exchange *.pfx, p12.
F. Type the password to complete the process, leaving just Included all extended properties checked.
G. Choose the option to place all certificates in the following store : Trusted root certification authorities. Then click Next and Finish.
Once the policy updates, the clients should trust the certificate and begin working again.
J.C. Hornbeck | Manageability Knowledge Engineer