Symptoms
When attempting to publish updates from the update catalog to SCUP, you receive the following error(s) in the UpdatePublisher.log file:
Exception occurred during publishing: Verification of file signature failed for file.
Publish: A fatal error occurred during publishing :Signature verification exception during publish, verify the WSUS certificates and advanced timestamp setting are properly configured.
Cause
Microsoft patch KB2661254 changed the minimum acceptable certificate key length for windows systems from 512 bits to 1024 bits. Any updates previously published with a 512 bit certificate will no longer be valid. If your SCCM/WSUS/SCUP server has an outdated 512 bit certificate, any updates will fail to publish correctly.
Here are some example scenarios:
1) If you install SCUP 4.5 or earlier and you created a certificate with the SCUP program, the certificate is 512 bits in length. This certificate is no longer valid and not accepted if you install the non-security update.
2) If you install SCUP 2011, non-security update KB2530678 is applied during the installation and you created a certificate with the SCUP program, the certificate is 2048 bits in length. This certificate is still valid and no changes are necessary if the non-security update is installed.
3) If you install SCUP 2011, you do not install the suggested non-security update KB2530678 and you created a certificate with the SCUP program, the certificate is 512 bits in length. This certificate is no longer valid and not accepted if you install the non-security update.
4) If you installed SCUP 4.5 or earlier and you created a certificate with the SCUP 4.5 program; an administrator upgrades the system to SCUP 2011 at a later time, the certificate created with 4.5 (512 bits in length) is used by default with SCUP2011. This certificate is no longer valid and not accepted if you install the non-security update. Note: By default, SCUP 4.5 and 2011 can be installed side-by-side.
Resolution
First, you must verify if the certificates in your SCCM environment are shorter than 1024 bits. If they are, new certificates must be generated. To verify the key length, perform the following steps:
First, open up the System Center Updates Publisher program and navigate to the options section. Under the “Update Server” tab, take note the name of the certificate under “Signing Certificate.” Using the Microsoft Management Console (MMC), add the snap-in for Certificate marking the “Computer Account” as the store that you want to view. Under the WSUS certificate tree you will see your certificate. Doubleclick the certificate and look at the 'Public Key' field on the Details tab. This will tell you the bit length of the certificate. If it's less than 1024 bits a new certificate must be generated.
Create a new digital certificate to use for the SCUP/WSUS/SCCM environment and client systems
Navigate to your Local Computer Certificates store on the SCUP/WSUS/SCCM system. The digital certificate used (if SCUP/WSUS/SCCM are installed on the same machine) will be stored in three locations. After backing up the current digital certificate, navigate to the WSUS, Trusted Publishers and Trusted Root Certification Authorities containers and remove the certificate identified in the previous steps.
Close the System Center Updates Publisher program and reopen the program. Navigate to the Options page and you will now see there is no digital certificate assigned to the program.
For System Center Updates Publisher 2011 (clean 2011 installation and 2011 upgraded from 4.5): You can create the digital certificate from the Options screen on the "Update Server" tab.
For System Center Updates Publisher 4.5: This program, by default, will create a certificate that is 512 bits in length. You will need to create or obtain a digital certificate by other methods other than the System Center Updates Publisher. The microsoft article is http://blogs.technet.com/b/jasonlewis/archive/2011/07/12/system-center-updates-publisher-signing-certificate-requirements-amp-step-by-step-guide.aspx
After creating the certificate, you can now see the certificate is now greater than 1024 bit in length. On the SCUP/WSUS/SCCM machine, you will need to place the certificate in the Trusted Publishers and Trusted Root Certification Authorities containers.
Impact/Risks
All updates that have been previously published from SCUP to WSUS/SCCM are signed with the previous digital signature (512 bit certificate). The client systems will now accept any updates that are signed with the new digital certificates, but older updates are still signed with the previous digital signature.
For any update that you have published through SCUP to WSUS/SCCM, you will need to re-sign the update. Under the publish options in SCUP (2011), you will need to publish a “Full Content” update with the “Sign all software updates with a new publishing certificate…” checked. Once this setting is checked and a “Full Content” push is done, System Center Updates Publisher will download the patch again, cab the file and sign the cab with the new digital signature.
For System Center Update Publisher 4.5, the setting is changed globally for all updates. Under the “Settings > Advanced” tab, the checkbox “Prompt for re-signing updates while publishing” must be selected.
Products
Shavlik SCUPdates