A successful WSUS self-signed certificate must be saved in the following three locations: Trusted Root Certification, Trusted Publishers, and WSUS. The "Trusted Root Certification Authority" should contain the relevant Root certificate.
Not copying the certificate's public key to any one of the three locations (in particular the Trusted Publishers location), or not having the private key in the WSUS location, may cause publishing to fail with the following error message.
[5/22/2017 7:03:30 PM|C] Task execution faulted (id: adc97f47-5c41-442b-b19d-f266a2d8adec): Verification of file signature failed for file: \\win2008r2sccm12.isas.flexdev.com\UpdateServicesPackages\6e16403a-042f-49db-9106-7d0fab21d4b9\bbee425c-fa3d-46dd-a703-065fd184fe86_1.cab
InvalidOperationException: Verification of file signature failed for file: \\win2008r2sccm12.isas.flexdev.com\UpdateServicesPackages\6e16403a-042f-49db-9106-7d0fab21d4b9\bbee425c-fa3d-46dd-a703-065fd184fe86_1.cab
at Microsoft.UpdateServices.Internal.BaseApi.Publisher.VerifyAndPublishPackage()
at Microsoft.UpdateServices.Internal.BaseApi.Publisher.PublishPackage(String sourcePath, String additionalSourcePath, String packageDirectoryName)
at System.Threading.Tasks.Task.Execute()
at FlexeraSoftware.SVM.Daemon.WsusApi.PublishPackageAsync()
at FlexeraSoftware.SVM.Daemon.PublishPackageWorkItem.PublishPackageAsync()
at FlexeraSoftware.SVM.Daemon.DaemonWorkItem.ExecuteTasks()
--- Stack Trace Ends ---
Troubleshooting options for WSUS self-signed certificate error message
You have two options to create the new certification if this error message appears:
c:\Program Files\Flexera Software\SVM Daemon>svmpd.exe newcert
System.InvalidOperationException
This WSUS server cannot issue a self-signed certificate. To import a signing certificate into the WSUS server, use one of the following supported methods:
1. SetSigningCertificate(string, string)
2. SetSigningCertificate(string, SecureString)
Create a WSUS self-signed certificate
Enable self-signing on the server. While the WSUS will not generate self-signed certificates by default, it is possible to restore the legacy behavior by setting the following registry key.
| • | HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup\ |
| • | Create DWORD value: EnableSelfSignedCertificates = 1 |
Please note that the CreateSelfSignedCertificate API is still considered deprecated and may be removed in a future version of Windows. For further details, see https://blogs.technet.microsoft.com/wsus/2013/08/15/wsus-no-longer-issues-self-signed-certificates/
Use a real certificate, and use the svmpd.exe option UseCert.
Software Vulnerability Research Help LibraryMay 2019 |
Copyright Information | Flexera |