Yes, I have.
WSUS settings are controlled through Group Policy, and the WSUS server itself also has this policy applied to it. In regards to certificates, I have used an internal (Microsoft) CA, which is used in conjunction with an Automatic certificate request GPO, so that all Clients have the root CA certificate installed on them, so certificate trust should not be an issue. I can confirm that the SSL (webserver) certificate issued to and used by the WSUS IIS has the internal root CA as root. The internal root CA is also installed in Trusted Root Certification Authorities on both the Computer account, and the User account on the WSUS server.
Please forgive my pedantic nature.. but in scenarios like this, I quite often find the fact assumed is the fact bitten by.
- You've used an Enterprise CA to create and distribute a root certificate.
- You created an SSL certificate derived from that root certificate.
- The root CA is installed in the Trusted Root CA store of the Computer account. (As noted in the cited documentation, the root cert in the User store is meaningless.)
But I don't see anywhere that you have confirmed that the *SSL* certificate has been installed in the Computer store of the WSUS server -- in the same manner that it has (apparently) been installed on all of the other systems in your network (as evidenced by their ability to establish an SSL connection to WSUS).
Question: Can the Windows Update Agent of the WSUS server successfully detect/report to the WSUS server?
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin