If you secure your HTTPS connections using a certificate signed by a public (Internet) Certificate Authority, you're making the assumption that all of your managed endpoints have Internet access in order to perform Certificate Revocation List (CRL) checking. This may not be the case, in which case they probably won't be able to download updates.
I am guessing that most of your endpoints will be domain attached, as this is the typical configuration for WSUS deployments, i.e.: WSUS configured via Group Policy. If this is the case, a certificate signed by an Intranet CA will be fine.
Oh, and no, there are no licencing implications (either way).