This project has moved. For the latest updates, please go here.

certificate RSA 512 Bit

Topics: Configuration Issue, Publishing Issue
May 12, 2014 at 7:36 AM
Hello!
I set up wpp, distributed certificates through GPO.
Published software.
And on some computers (many works.) get the following error:
WARNING: Error: 0x80096004 when verifying trust for C:\Windows\SoftwareDistribution\Download\2a040ef7e85203f363c615e65da3ae1c\136a0f7d-2a9b-4f97-ad89-6f57115a586e_1.cab
2014-05-12 01:02:29:964 580 830 Misc WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\Download\2a040ef7e85203f363c615e65da3ae1c\136a0f7d-2a9b-4f97-ad89-6f57115a586e_1.cab are not trusted: Error 0x80096004
I noticed: on the computers with problem installed windows 7 64 bit .
Info from the Internet: Microsoft prohibits RSA keys less than 1024 bit. A self-signed certificate -512 bits.
What to do?
thank you.
P.S. Sorry for my bad English.
Coordinator
May 12, 2014 at 11:32 AM
That right : Microsoft KB2661254 prohibits RSA keys less than 1024 bits.
Can you check if this KB is installed on computers ?
How did you get the certificat ?
What is the exact version of your Wsus server ?

Wsus Version
May 12, 2014 at 12:39 PM
Can you check if this KB is installed on computers ?
Not installed. may be part of another update

How did you get the certificat ?
By WPP. as written in the installation guide for

What is the exact version of your Wsus server ?
version: 3.2.7600.256
Win2008R2 Std.
whether WPP to issue a self-signed certificate more than 1024?
Editor
May 12, 2014 at 7:39 PM
Hi,

you need one more Update on your WSUS:

WSUS 3.0 (SP2) + KB2720211: Build 3.2.7600.251
WSUS 3.0 (SP2) + KB2734608: Build 3.2.7600.256
WSUS 3.0 (SP2) + KB2828185: Build 3.2.7600.262

After this, reboot the WSUS and export a new Certifacte. Put in the GPO for publishing to the clients, edit one Update in WPP, publish again and try to install on a W7 Client.
Coordinator
May 12, 2014 at 9:11 PM
Your Wsus server is at level 256, so KB2720211 and KB2734608 are installed. Since KB2720211, Wsus server issued out 2048 bits Self-signed certificates.

WPP doesn't create any certificate by its own for Wsus 3.0 SP2 (Server 2003R2, 2008, 2008R2) nor 6.2 (Server 2012). But only for Wsus 6.3 (Server 2012 R2 )
To check the bit length of the private key of the certificate :
  • Open WPP.
  • Connect to the server.
  • Go to "Help" -> "About"
If you need to generate another certificate, go to "Tools" -> "Certificate" and click on the buton "Generate the certificate".
You may want to delete the previous certificate before (use certmgr.msc)
Once the new certificate is created, do not forget to distribute it to clients computers. Also, you will need to re-sign all already published packages.
And on some computers (many works.) get the following error: WARNING: Error: 0x80096004 when verifying trust
This let me think that the problem is on clients computers instead of on the server. Can you check that clients computers have the correct certificate in correct store ("Trusted root authority" and "Trusted Publisher"). Also, you may want to check that the registry key :

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AcceptTrustedPublisherCerts is set to 1
May 13, 2014 at 7:06 AM
Despite the fact that the version 3.2.7600.256, i can install update KB2720211 and KB2734608.
Then setup KB2828185.
Now version 3.2.7600.262 - it is OK ^)

Then generate new certificate - 2048 bit -> re-sign published packages -> distribute new certificate to clients computers -> ALL WORKS.. :)

P.S.
And on some computers (many works.) get the following error: WARNING: Error: 0x80096004 when verifying trust __
many works - old computers with winXP and Win7 x86
unworked comps (NOW works!) - new computers with Win7 x64.. (probably they already inbuilt update that does not take the keys less 1024bit)


Thank you very much WinfriedSonntag and DCourtel!!!!
Marked as answer by DCourtel on 5/13/2014 at 2:38 AM