Admins who work with WSUS regularly are used to connection issues of the MMC console. However, it is not clear from the error message what the cause of these problems could be. One possible reason is an expired certificate. After renewing it, you assign it to the WSUS website. For Server Core, you can do this using PowerShell.

A common cause of WSUS console connection problems is an overdue cleanup of the server from updates that are no longer needed. In this case, access to the database may time out and the connection is then terminated.

However, the problem could also be due to an expired certificate, although the WSUS console does not provide information on this.

WSUS console message in case of connection failure due to an invalid certificate

WSUS console message in case of connection failure due to an invalid certificate

In this case, PowerShell is more informative. Running the command

Get-WsusServer -Name -UseSsl -PortNumber 8531

results in the following error message:

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel

Error Message from Get WsusServer for an expired SSL certificate

Error Message from Get WsusServer for an expired SSL certificate

To confirm that the invalid certificate is causing the connection error, you can open the following URL in your web browser:


There, you will receive a clear error message and can verify the certificate immediately.

Request a new certificate

If an expired certificate is identified as the root cause, the first step is to issue a new one. As it is common practice to run WSUS on Server Core, the following guide focuses on the PowerShell method. This is, of course, applicable to Windows Server with a desktop interface as well.

In our example, we request the new certificate from a Windows CA. The command using Get-Certificate could look like this:

Get-Certificate -SubjectName "C=DE,O=contoso,CN=wsus,DC=contoso,DC=com" `
 -DnsName,wsus -Template WebServer `
 -CertStoreLocation Cert:\LocalMachine\My `
 -URL "ldap:///CN=contoso-CA"


Request new SSL certificate for the WSUS server with PowerShell.

The example above issues the certificate for the server using the WebServer template. The second value for the DnsName parameter allows you to connect using the host name wsus only without receiving a certificate warning. You can specify the CA path via the URL parameter.

After successfully obtaining the certificate, it will be located in the store under LocalMachine\My (Personal\Certificates in certlm.msc). You can verify this using the following pattern:

Get-ChildItem Cert:\LocalMachine\My | where issuer -like *contoso-CA* |
sort -Property NotBefore | select Thumbprint, NotBefore

Next, you'll need the certificate's thumbprint to bind it to the WSUS website.

Bind certificate to WSUS site

To activate the new certificate, bind it to the WSUS Administration site in the IIS. This can be done with the following script:

# Store the name of the WSUS website in a variable
$website = Get-Website -Name "wsus*"
# Import the new certificate using the thumbprint
$cert = Get-Item -Path Cert:\LocalMachine\My\DEDEC6BDCB2BC3900A152…
# Get the current https binding of the WSUS website
$binding = Get-WebBinding -Name $website.Name -Port 8531 -Protocol https
# Assign a new certificate
$binding.AddSslCertificate($cert.GetCertHashString(), "my")

After the successful execution of these commands restart IIS:

Restart-Service w3svc
Bind new SSL certificate to WSUS website

Bind new SSL certificate to WSUS website

Now, when you run

Get-WebBinding -Name $website.Name -Port 8531 -Protocol https

it should display the thumbprint of the new certificate, and the WSUS console should be able to connect to the server accordingly.


If the WSUS console can't connect to the server, it may be due to an expired certificate. You can verify this by using commands like Get-WsusServer or by opening a URL from the WSUS site in the web browser.

To issue a new certificate from an internal Windows CA, you can use the Get-Certificate cmdlet. This is particularly useful on Server Core installations. After obtaining the certificate, you bind it to the WSUS website with PowerShell using the AddSslCertificate method.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account