{"id":8000,"date":"2023-11-14T00:05:01","date_gmt":"2023-11-14T00:05:01","guid":{"rendered":"https:\/\/cheapwindowsvps.com\/blog\/how-to-renew-a-wsus-certificate-after-a-connection-error\/"},"modified":"2025-01-20T10:17:20","modified_gmt":"2025-01-20T10:17:20","slug":"how-to-renew-a-wsus-certificate-after-a-connection-error","status":"publish","type":"post","link":"https:\/\/cheapwindowsvps.com\/blog\/how-to-renew-a-wsus-certificate-after-a-connection-error\/","title":{"rendered":"How to Renew a WSUS Certificate After a Connection Error"},"content":{"rendered":"

Admins who work with WSUS regularly are used to connection issues of the MMC console. However, it is not clear from the error message what the cause of these problems could be. One possible reason is an expired certificate. After renewing it, you assign it to the WSUS website. For Server Core, you can do this using PowerShell.<\/div>\n<\/p>\n

A common cause of WSUS console connection problems is an overdue cleanup of the server<\/a> from updates that are no longer needed. In this case, access to the database may time out and the connection is then terminated.<\/p>\n<\/p>\n

However, the problem could also be due to an expired certificate, although the WSUS console does not provide information on this.<\/p>\n<\/p>\n

\n

<\/a><\/p>\n

WSUS console message in case of connection failure due to an invalid certificate<\/p>\n<\/div>\n

In this case, PowerShell is more informative. Running the command<\/p>\n<\/p>\n

Get-WsusServer -Name wsus.contoso.com -UseSsl -PortNumber 8531<\/pre>\n<\/p>\n
results in the following error message:<\/p>\n<\/p>\n
The underlying connection was closed: Could not establish trust relationship for the SSL\/TLS secure channel<\/p>\n<\/p>\n
Error Message from Get WsusServer for an expired SSL certificate<\/a><\/div>\n<\/p>\n
To confirm that the invalid certificate is causing the connection error, you can open the following URL in your web browser:<\/p>\n<\/p>\n
https:\/\/<WSUS-Server>:8531\/selfupdate\/wuident.cab<\/em><\/p>\n<\/p>\n
There, you will receive a clear error message and can verify the certificate immediately.<\/p>\n<\/p>\n
Request a new certificate<\/h2>\n<\/p>\n
If an expired certificate is identified as the root cause, the first step is to issue a new one. As it is common practice to run WSUS on Server Core, the following guide focuses on the PowerShell method. This is, of course, applicable to Windows Server with a desktop interface as well.<\/p>\n<\/p>\n
In our example, we request the new certificate from a Windows CA. The command using Get-Certificate<\/em> could look like this:<\/p>\n<\/p>\n
Get-Certificate -SubjectName \"C=DE,O=contoso,CN=wsus,DC=contoso,DC=com\" `<\/p>
 -DnsName wsus.contoso.com,wsus -Template WebServer `<\/p>
 -CertStoreLocation Cert:LocalMachineMy `<\/p>
 -URL \"ldap:\/\/\/CN=contoso-CA\"<\/p>
<\/pre>\n<\/p>\n
image3<\/a><\/div>\n<\/p>\n
Request new SSL certificate for the WSUS server with PowerShell.<\/p>\n<\/p>\n
The example above issues the certificate for the server wsus.contoso.com<\/em> using the WebServer<\/em> template. The second value for the DnsName <\/em>parameter allows you to connect using the host name wsus<\/em> only without receiving a certificate warning. You can specify the CA path via the URL parameter.<\/p>\n<\/p>\n
After successfully obtaining the certificate, it will be located in the store under LocalMachineMy<\/em> (PersonalCertificates<\/em> in certlm.msc<\/em>). You can verify this using the following pattern:<\/p>\n<\/p>\n
Get-ChildItem Cert:LocalMachineMy | where issuer -like *contoso-CA* |<\/p>
sort -Property NotBefore | select Thumbprint, NotBefore<\/p>
<\/pre>\n<\/p>\n
Next, you’ll need the certificate’s thumbprint to bind it to the WSUS website.<\/p>\n<\/p>\n
Bind certificate to WSUS site<\/h2>\n<\/p>\n
To activate the new certificate, bind it to the WSUS Administration site in the IIS. This can be done with the following script:<\/p>\n<\/p>\n
<\/p>
# Store the name of the WSUS website in a variable<\/p>
$website = Get-Website -Name \"wsus*\"<\/p>
# Import the new certificate using the thumbprint<\/p>
$cert = Get-Item -Path Cert:LocalMachineMyDEDEC6BDCB2BC3900A152\u2026<\/p>
# Get the current https binding of the WSUS website<\/p>
$binding = Get-WebBinding -Name $website.Name -Port 8531 -Protocol https<\/p>
# Assign a new certificate<\/p>
$binding.AddSslCertificate($cert.GetCertHashString(), \"my\")<\/p>
<\/pre>\n<\/p>\n
After the successful execution of these commands restart IIS:<\/p>\n<\/p>\n
<\/p>
Restart-Service w3svc<\/p>
<\/pre>\n<\/p>\n
Bind new SSL certificate to WSUS website.<\/p>\n
 The new SSL certificate is successfully binded to the WSUS website. This ensures a secure connection and enables your system to prevent any unwanted breaches or security threats.<\/p>\n<\/p>\n
Now, when you run<\/p>\n<\/p>\n
Get-WebBinding -Name $website.Name -Port 8531 -Protocol https<\/pre>\n<\/p>\n
it should display the thumbprint of the new certificate, and the WSUS console should be able to connect to the server accordingly.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"
Admins who work with WSUS regularly are used to connection issues of the MMC console. However, it is not clear from the error message what the cause of these problems could be. One possible reason is an expired certificate. After renewing it, you assign it to the WSUS website. For Server Core, you can do […]<\/p>\n","protected":false},"author":1,"featured_media":8001,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[92,111,113,112],"tags":[],"class_list":["post-8000","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles","category-deployment","category-patch-management","category-wsus"],"_links":{"self":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/8000","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/comments?post=8000"}],"version-history":[{"count":2,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/8000\/revisions"}],"predecessor-version":[{"id":10355,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/8000\/revisions\/10355"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media\/8001"}],"wp:attachment":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media?parent=8000"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/categories?post=8000"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/tags?post=8000"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}