So I'm setting up Reposado and inline with my "https everywhere" mantra I'm planning on delivering updates over https with it (instead of http like normal SUS).
Turns out, the SUS client (in 10.7 anyway) requires a valid cert.
Software Update Tool Copyright 2002-2010 Apple The certificate for this server is invalid. You might be connecting to a server that is pretending to be “<redacted>” which could put your confidential information at risk.
This is not yet a prod box and it's just using a self signed cert as generated by mod_ssl in Apache.
Just found it interesting.
