Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Patch Manager > Certificate errors when downloading or installing Third-Party updates to clients or Software Distribution Points

Certificate errors when downloading or installing Third-Party updates to clients or Software Distribution Points

Created by Brandon Painter, last modified by MindTouch on Jun 23, 2016

Views: 498 Votes: 0 Revisions: 4

Overview

This article describes how to verify if you have the WSUS certificate installed on your client PC, downstream WSUS server, SCCM server, and any other Windows OS you may be having Certificate errors downloading and installing updates. The WSUS self-signed Certificate needs to be in both the Trusted Root Certification Authorities (which authorizes the install of the signed content). You also need ensure that the policy on the computer has "Allow signed updates from an intranet Microsoft update services location" enabled.

Errors:

  • Certificate chain process terminated
  • Invalid Signature
  • Verification of signature file failed
  • Failed to download content id "X". Error: Invalid certificate signature
    Package.

Environment

All Patch Manager versions

Cause 

WSUS Self-Signed Certificate is not installed in the Trusted Root CA and Trusted publishers or "Allow signed updates from an intranet Microsoft update services location" is not enabled in the computer policy.

Resolution

Verify that the Windows Update Policy on the machine has the "Allow Signed Content..." Enabled.

  1. Click Start and type RSOP.msc and press the Enter key.

    1. RSOP is the Resultant Set of Policy which reflects the current policy both local and GPO that are applied to the system.

  2. Navigate to Computer configuration > Administrative Templates > Windows Components > Windows Update.

  3. Ensure that the Setting for "Allow signed updates from an intranet Microsoft update services location" is Enabled. 

    1. If there is no setting configured, you will need to update that from your GPMC on the Domain Controller. See the Configuring the Group Policy Object section of the Patch Manager Admin Guide for more information.

 

Export the WSUS Certificate

To provision downstream publishing servers with a WSUS certificate, export it from the upstream WSUS server. See the Exporting the WSUS Certificate section of the Patch Manager Admin Guide for more information.

 

Importing the WSUS Certificate

After you have exported the certificate to a file, import the certificate file to both the Trusted Root Certification Authorities and Trusted Publishers stores. You can import the certificate into your GPO or you can manually import it to the PC with the steps below.

  1. Log on to the machine that is receiving the certificate error downloading or installing the update and copy the certificate to the local machine.

  2. Launch MMC.exe.

  3. Click File > Add/Remove Snap-in.

  4. Select Certificates and click Add in the middle.

  5. Select the Computer account and click Next.

  6. Select the Local Computer and click Finish.

  7. Click Ok.

  8. Expand the Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates.

    1. Look through this directory to see if you have the WSUS Self-Signed Certificate, if it is present make sure the Serial number is the same as the one you exported from WSUS earlier. If it is then proceed to step 9, if not continue to step b.

    2. If it is not present then right-click on Certificates under Trusted Root Certification Authorities > All Tasks > Import.

    3. Click Next.

    4. Click Browse and navigate to the directory where you copied the certificate and select it, then click Next.

    5. Make sure it states that it is placing it in the Trusted Root CA then click Next.

    6. Click Finish.

  9. While in the certificates MMC navigate to Trusted Publishers > Certificates.

    1. Look through this directory to see if you have the WSUS Self-Signed Certificate, if it is present make sure the Serial number is the same as the one you exported from WSUS earlier. If it is then attempt to download the update again, if the serial number doesn’t match continue to step b.

    2. If it is not present then right-click on Certificates under Trusted Publishers > All Tasks > Import.

    3. Click Next.

    4. Click Browse and navigate to the directory where you copied the certificate and select it, then click Next.

    5. Make sure it states that it is placing it in the Trusted Publishers then click Next.

    6. Click Finish.

 

Last modified
01:00, 23 Jun 2016

Tags

Classifications

Public