2

After having followed this guide, it is unclear when one would use a public certificate versus a domain certificate for WSUS.

  1. What are the advantages and disadvantages of one way versus the other?
  2. Are there any security implications that one needs to be aware of?
John
  • 2,266
  • 6
  • 44
  • 60

2 Answers2

4

The primary advantage of a public certificate is that hosts automatically trust them, whereas members of an internal domain automatically trust an internal domain certificate. However, you can still manually install the internal domain signed certificate onto non-domain computers and have them trust it.

Another limitation of the internal domain certificate deals with their contents. They often contain CRL distribution points that are served out via the AD LDAP. This means that clients can only access the CRL distribution point (CDP) if they are joined to the internal domain and they have network connectivity to communicate with it. Note that you can still add a publicly accessible CDP to your certificates that would allow anyone to reach it over the internet. If you were to do this, you would need to serve this over HTTP instead of LDAP. Of course, you would also then be responsible for hosting that CRL securely on an internet facing webserver.

The security implications boil down to the following:

  1. Do you trust the public certificate more than you trust your internal certificate?
  2. Is there a greater chance of your internal domain certificates' private key being compromised than that of the public certificate?
John
  • 2,266
  • 6
  • 44
  • 60
Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • Are there any EULA or licensing concerns about using a publicly signed certificate with WSUS? – John Aug 27 '13 at 19:34
  • @John No. Windows Server licensing isn't affected by whether you use publically-trusted SSL certificates, internal domain certificates, self-signed certificates, or no certificates. – Ryan Ries Aug 27 '13 at 22:19
1

If you secure your HTTPS connections using a certificate signed by a public (Internet) Certificate Authority, you're making the assumption that all of your managed endpoints have Internet access in order to perform Certificate Revocation List (CRL) checking. This may not be the case, in which case they probably won't be able to download updates.

I am guessing that most of your endpoints will be domain attached, as this is the typical configuration for WSUS deployments, i.e.: WSUS configured via Group Policy. If this is the case, a certificate signed by an Intranet CA will be fine.

Oh, and no, there are no licencing implications (either way).

Simon Catlin
  • 5,222
  • 3
  • 16
  • 20