Troubleshoot certificate errors during third-party updates
When you download or install third-party updates to clients of software distribution points, the targeted managed system may display certificate errors. These errors may include:
- Certificate chain process terminated
- Invalid signature
- Failed to download
These errors may be caused by:
- WSUS self-signed certificate not installed in the Trusted Root CA and Trusted Publishers
- Allowed signed updates from an intranet Microsoft update services location setting is not enabled in the computer policy
To resolve these errors, verify that the WSUS certificate is installed on the client computers, WSUS server, SCCM server, and any other Windows-based system that generates errors when you download and install your software updates.
Check the Windows Update Policy
Verify that the WSUS self-signed certificate is located in the Trusted Root Certification Authorities. This certificate authorizes the installation of the signed content. Also, ensure that the policy on the computer has "Allow signed updates from an intranet Microsoft update services location" enabled.
-
Locate and open the Resultant Set of Policy (RSOP) on the target computer. This policy reflects the current policy for the local and GPO applied to the system.
Open a Search box and type:
RSOP.msc
Generating the policy may require several minutes to complete. - Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update.
-
Verify that the following policy setting is enabled:
Allow signed updates from an intranet Microsoft update services location
If the setting is not configured, update the setting from your Group Policy Management Console on the Domain Controller. See Configure clients using Group Policy for details.
- Close the file.
Export the WSUS certificate
Provision your downstream publishing servers with a WSUS certificate by exporting the certificate from the upstream WSUS server.
See Configure clients using Group Policy for details.
Import the WSUS certificate
After you export the certificate to a file, import the certificate file to both the Trusted Root Certification Authorities and Trusted Publishers stores. You can import the certificate into your GPO or perform the following steps to manually import the certificate to the PC.
- Log on to the computer that is receiving the certificate error.
- Copy the certificate to the local machine.
-
Launch the Microsoft Management Console by executing:
MMC.exe
- Click File > Add/Remove Snap-in.
- Select Certificates and click Add.
- Select the Computer account, and click Next.
- Select the Local Computer, and click Finish.
- Click OK.
- Place the certificate in Trusted Root CA.
- Expand Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates.
- Search the directory for a WSUS Self-Signed Certificate.
Make sure the serial number is identical with the certificate you exported from the WSUS server.
If the certificate is identical, go to step 10. If not, go to step d.
- Right-click Certificates under Trusted Root Certification Authorities > All Tasks > Import.
- Click Next.
- Click Browse and navigate to the directory where you copied the certificate.
- Select the certificate, and then click Next.
- Make sure the certificate is placed in Trusted Root CA, and then click Next.
- Click Finish.
- Place the certificate in Trusted Publishers.
- In the certificates MMC, navigate to Trusted Publishers > Certificates.
Search this directory for the WSUS Self-Signed Certificate, if it is present, make sure the serial number is the same as the certificate you exported from WSUS. If it is, download the update again.
If the serial number doesn’t match continue to step c.
- If it is not present, right-click Certificates under Trusted Publishers > All Tasks > Import.
- Click Next.
- Click Browse and navigate to the directory where you copied the certificate.
- Select the certificate, and click Next.
- Verify that the certificate is being placed in Trusted Publishers, and click Next.
- Click Finish.