The server hosting wsus is currently named something like server33.domain.com which is the host name of the server and group policy points clients http://server33.domain.com.  The server is going to be retired and wsus will then be hosted on a new server (such as server65) and move from port 80 to 8531 or 443.

We would like to create a new DNS alias called something like wsus.domain.com and start using the alias with our current server and when we migrate to the new server we can just change the DNS alias to point to the new server.

When we enable SSL, will clients have a problem connecting or problems with the SSL certificate because they will be connecting to the wsus by DNS alias instead of the netbios host name of the server?

I do the DNS alias trick myself (wsus.domain.org); but we aren't using SSL so I can't say for certain.  My guess is that if the cert is for the old FQDN then you would have trouble.  I would think if the cert is a * or specifically for wsus.domain.org, you should be ok.

There is no existing cert since implementing SSL will be new.  I was wondering if the SSL cert has to match the local host name of the server or will it work with a DNS alias and be portable to new servers using the same DNS alias, but different real computer names.

Assuming you use IIS on this server for other purposes, have the certificate issued to wsus.domain.com if you don't want to get a wildcard cert and in IIS manager, have https only run on 8531.  If the server is only for WSUS, then you could use 443 if you like.