• Welcome to Support Forum: Get Support for Patch My PC Products and Services.
 

Do I need to re-publish updates with new signing certificate? How?

Started by Pepper, August 14, 2017, 10:34:09 AM

Previous topic - Next topic

Pepper

My WSUS self-signed certificate is expiring later this year. In preparation for this I have gone through the procedure again and now have a certificate valid until sometime in 2022.

I have pushed out the new certificate alongside the old one in my Group Policy, and have successfully published and deployed updates using this new certificate.

In a few months, when the old certificate has expired, I expect that if I were to build a new machine from my standard image and attempt to update it, I would have updates fail to install which were signed with the old certificate. If this is indeed the case, what would be the proper method for re-publishing those old but still valid updates when the time comes? Or, is the certificate still considered valid based on it's being valid on the date it was used to sign the update package?

Justin Chalfant (Patch My PC)

Hey!

If you are using a self-signed certificate the updates will likely fail after the expire date since they won't be time-stamped. From SCUP, you can re-publish updates published with the old cert using the option below:



Quote from: Pepper on August 14, 2017, 10:34:09 AM
My WSUS self-signed certificate is expiring later this year. In preparation for this I have gone through the procedure again and now have a certificate valid until sometime in 2022.

I have pushed out the new certificate alongside the old one in my Group Policy, and have successfully published and deployed updates using this new certificate.

In a few months, when the old certificate has expired, I expect that if I were to build a new machine from my standard image and attempt to update it, I would have updates fail to install which were signed with the old certificate. If this is indeed the case, what would be the proper method for re-publishing those old but still valid updates when the time comes? Or, is the certificate still considered valid based on it's being valid on the date it was used to sign the update package?

Pepper

OK, just to confirm, here's what I did.

- In SCUP, go to "All Software Updates" and sort by date published.
- Select all non-expired updates with a published date older than when I replaced the certificate.
- Click Publish, tick the box you showed me which I had never noticed was there before, and then just wait a while for it to do the job.

That should take care of it, and after it's done it would be safe to remove the old certificate from my Group Policy, correct?

Justin Chalfant (Patch My PC)

That's correct. To be safe you will probably want to stop the updates from being deployed in the Update Group, remove the updates from the deployment package, then after re-publishing them and resyncing your SUP, re-download and deploy them in SCCM to ensure you get the newly signed files.

Amelie76

As Admin Justin mentioned here, with R2 WSUS not taking a certification, when using SCUP 2011 so you will have the message ÔÇ£The test connection succeededÔÇØ. Conversely, no login certificate was noticed for the updated server. Without first registration no one is not able to publish content. IÔÇÖm Microsoft certified system engineer as well as essayist at Assignment Writing Help UK (Removed URL) firm and I think that there should be updates available for new signing.

Pepper



WandaDelgado

Quote from: Justin Chalfant (Patch My PC) on August 14, 2017, 05:17:54 PMHey!

If you are using a self-signed certificate the updates will likely fail after the expire date since they won't be time-stamped. From SCUP, you can re-publish updates published with the old cert using the option below:




Quote from: Pepper on August 14, 2017, 10:34:09 AMMy WSUS self-signed certificate is expiring later this year. In preparation for this I have gone through the procedure again and now have a certificate valid until sometime in 2022.

I have pushed out the new certificate alongside the old one in my Group Policy, and have successfully published and deployed updates using this new certificate.

In a few months, when the old certificate has expired, I expect that if I were to build a new machine from my standard image and attempt to update it, I would have updates fail to install which were signed with the old certificate. If this is indeed the case, what would be the proper method for re-publishing those old but still valid updates when the time comes? Or, is the certificate still considered valid based on it's being valid on the date it was used to sign the update package?
Updating the certificate may cause an error. In this case, you should contact the residency personal statement editor for professional help. It happens rarely, but this error cannot be corrected by yourself.

Thanks for the recommendation.