WSUS client updates fail with error 80072F8F after configuring a self-signed certificate in IIS

Here's a cool tip that was sent to me by Joao Madureira, a Support Escalation Engineer in our WSUS group.  If you want to use a self-signed cert in IIS7 for your WSUS clients then you'll want to take a look at this one:


Issue: After installing WSUS on a Windows 2008 server and enabling SSL using a self-signed certificate in IIS 7, the client machines may stop reporting with error 80072F8F.

Cause: The self-signed certificate used by IIS7 is not trusted in the domain.

More Information: IIS7 allows you to create it's own self-signed certificate instead of using a standalone certificate authority or domain certificate. In this case , after creating the certificate it's necessary to tell the client machines that the self-signed
certificate is trusted in the domain. 

Resolution:   In order to allow the certificate to be trusted, you need to import the self-signed certificate to the domain trusted root certificate authority to allow the clients to use and trust the new cert. 

A. Creating the self-signed certificate on IIS7:

  1. Open IIS7 , click on server name > server certificates> create self-signed certificate.
  2. For the friendly name, type the FQDN for the WSUS server.
  3. Right click on the certificate and choose export.
  4. Choose a path and password > confirm the password.

B. Copy the .PFX file created with the export task to a Domain Controller.

C. Open the Group Policy Management Console and create a GPO for the certificate.

D. Go to computer configuration > Windows settings > security settings > public key policies> trusted root certification authority> right click and import.

E. Browse to the location where you copied the .PFX file and change the file type to personal information exchange *.pfx, p12.

F. Type the password to complete the process, leaving just Included all extended properties checked.

G. Choose the option to place all certificates in the following store : Trusted root certification authorities.  Then click Next and Finish.

Once the policy updates, the clients should trust the certificate and begin working again.


Thanks Joao!

J.C. Hornbeck | Manageability Knowledge Engineer