Author Topic: Do I need to re-publish updates with new signing certificate? How?  (Read 6576 times)

Offline Pepper

  • Newbie
  • *
  • Posts: 32
    • View Profile
My WSUS self-signed certificate is expiring later this year. In preparation for this I have gone through the procedure again and now have a certificate valid until sometime in 2022.

I have pushed out the new certificate alongside the old one in my Group Policy, and have successfully published and deployed updates using this new certificate.

In a few months, when the old certificate has expired, I expect that if I were to build a new machine from my standard image and attempt to update it, I would have updates fail to install which were signed with the old certificate. If this is indeed the case, what would be the proper method for re-publishing those old but still valid updates when the time comes? Or, is the certificate still considered valid based on it's being valid on the date it was used to sign the update package?
« Last Edit: August 14, 2017, 10:37:47 AM by Pepper »

Offline Justin Chalfant

  • Patch My PC Support
  • Administrator
  • Hero Member
  • *****
  • Posts: 2152
    • View Profile
    • Patch My PC Support
Re: Do I need to re-publish updates with new signing certificate? How?
« Reply #1 on: August 14, 2017, 05:17:54 PM »
Hey!

If you are using a self-signed certificate the updates will likely fail after the expire date since they won't be time-stamped. From SCUP, you can re-publish updates published with the old cert using the option below:



My WSUS self-signed certificate is expiring later this year. In preparation for this I have gone through the procedure again and now have a certificate valid until sometime in 2022.

I have pushed out the new certificate alongside the old one in my Group Policy, and have successfully published and deployed updates using this new certificate.

In a few months, when the old certificate has expired, I expect that if I were to build a new machine from my standard image and attempt to update it, I would have updates fail to install which were signed with the old certificate. If this is indeed the case, what would be the proper method for re-publishing those old but still valid updates when the time comes? Or, is the certificate still considered valid based on it's being valid on the date it was used to sign the update package?

Offline Pepper

  • Newbie
  • *
  • Posts: 32
    • View Profile
Re: Do I need to re-publish updates with new signing certificate? How?
« Reply #2 on: August 15, 2017, 08:12:07 AM »
OK, just to confirm, here's what I did.

- In SCUP, go to "All Software Updates" and sort by date published.
- Select all non-expired updates with a published date older than when I replaced the certificate.
- Click Publish, tick the box you showed me which I had never noticed was there before, and then just wait a while for it to do the job.

That should take care of it, and after it's done it would be safe to remove the old certificate from my Group Policy, correct?

Offline Justin Chalfant

  • Patch My PC Support
  • Administrator
  • Hero Member
  • *****
  • Posts: 2152
    • View Profile
    • Patch My PC Support
Re: Do I need to re-publish updates with new signing certificate? How?
« Reply #3 on: August 16, 2017, 05:11:53 PM »
That's correct. To be safe you will probably want to stop the updates from being deployed in the Update Group, remove the updates from the deployment package, then after re-publishing them and resyncing your SUP, re-download and deploy them in SCCM to ensure you get the newly signed files.

Offline Amelie76

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: Do I need to re-publish updates with new signing certificate? How?
« Reply #4 on: August 21, 2017, 04:02:10 AM »
As Admin Justin mentioned here, with R2 WSUS not taking a certification, when using SCUP 2011 so you will have the message ÔÇ£The test connection succeededÔÇØ. Conversely, no login certificate was noticed for the updated server. Without first registration no one is not able to publish content. IÔÇÖm Microsoft certified system engineer as well as essayist at Assignment Writing Help UK (Removed URL) firm and I think that there should be updates available for new signing.
« Last Edit: August 21, 2017, 09:41:15 AM by Admin - Justin »

Offline Pepper

  • Newbie
  • *
  • Posts: 32
    • View Profile
Re: Do I need to re-publish updates with new signing certificate? How?
« Reply #5 on: August 24, 2017, 02:41:41 PM »
Cute attempt at being a spambot, spambot. 8)