This project has moved. For the latest updates, please go here.

Failed to load the certificate

Topics: Configuration Issue
Feb 26, 2015 at 6:04 PM
I had this problem a year ago and finally just told WSUS Package Publisher to ignore Certificate Errors but I would really prefer to get this corrected.

I have followed all the steps (multiple times) in the documentation (Installation Guide & Creating a Code Signing Certificate) and I continue to get errors loading certificates.
I know if I tell it to ignore certificate errors I can successfully create and deploy updates and client computers have no problems installing them so the certificate should be good.

When I try to import it in to WSUS Package Publisher, I get the error "Failed to load the certificate. Check the file." and the Debug Log has a line that says "2/26/2015 11:36:15 AM IsValideCertificate = False". This suggests that I either missed a step or somehow messed up in the certificate creation process.

I verified the certificate is replicated across my domain, it is a Code Signing Certificate, and at least 1024 bits (RSA (2048 Bits)).

I really don't want to use a self-signed certificate if I don't have to. Surely I am missing something somewhere.
Editor
Feb 26, 2015 at 6:37 PM
What is the build from your WSUS? If WSUS is installed on a W2008R2 or lower, pls check the Build.
http://www.wsus.de/images/wsus-version.png

WSUS 3.0 (SP2): Build 3.2.7600.226
WSUS 3.0 (SP2) + KB2720211: Build 3.2.7600.251
WSUS 3.0 (SP2) + KB2734608: Build 3.2.7600.256
WSUS 3.0 (SP2) + KB2828185: Build 3.2.7600.262
WSUS 3.0 (SP2) + KB2938066: Build 3.2.7600.274

The latest Build is .274. If your WSUS Build is lower then install posted updates.
Feb 26, 2015 at 8:08 PM
It is a '08R2 server with WSUS Version 3.2.7600.226

Looking through my update history I see it installed KB2720211 but I don't see any of those others and Windows Update does not show them as available.

I am looking in to the mentioned updates now and will install them in order. It seems somewhat odd to me that these would not be pushed down through Windows Update...
Editor
Feb 26, 2015 at 8:13 PM
Are you sure with .226? You are looking at right place for the build number? If KB2720211 is installed, your WSUS is on Build .251.
Pls check again your Build: http://www.wsus.de/images/wsus-version.png
Coordinator
Feb 26, 2015 at 8:46 PM
the Debug Log has a line that says "2/26/2015 11:36:15 AM IsValideCertificate = False".
WPP use the Verify() Method of the.Net class System.Security.Cryptography.X509Certificates.X509Certificate2
Unfortunately, this method is not 100% accurate, and may return false negative results. This's why there is an option to ignore Code-Signing certificate errors.
If your certificate is successfully used by your Wsus server to sign packages, it's certainly a good certificate.
Feb 26, 2015 at 8:47 PM
Yes, I was looking in the right location. I just finished installing KB2734608 and it now says Server version: 3.2.7600.256

Do you think maybe there was a problem with KB2720211? Should I try installing it again?
Editor
Feb 26, 2015 at 9:06 PM
No, you can install all other updates for build .274.
Feb 27, 2015 at 2:16 PM
Okay, I got my WSUS server completely updated to build .274 which should help fix a lot of issues. Thank you WinfriedSonntag. However, I am still having the same certificate issue in Package Publisher.

DCourtel wrote:
WPP use the Verify() Method of the.Net class System.Security.Cryptography.X509Certificates.X509Certificate2
Unfortunately, this method is not 100% accurate, and may return false negative results. This's why there is an option to ignore Code-Signing certificate errors.
Thank you for your reply DCourtel but are you seriously saying the only thing I can do is ignore it? I used the exact method recommended in generating the certificate. All servers used in this process are Windows '08 R2 and completely updated. Surely there is a method for me to generate a certificate that the "Verify() Method of the .Net class System" accepts as valid.
Coordinator
Feb 27, 2015 at 2:52 PM
Unfortunately, I never find a list of all conditions that this method check. So, it is very hard to know what's goes wrong.
How do you have made this certificate ? Have you a chain of certificate servers ?
Editor
Feb 27, 2015 at 3:15 PM
WWWolf wrote:
Okay, I got my WSUS server completely updated to build .274 which should help fix a lot of issues. Thank you WinfriedSonntag. However, I am still having the same > certificate issue in Package Publisher.
Now i think you can create a new certificate with WPP. Publish the new certificate with Group Policies to all Clients/Servers.
Feb 27, 2015 at 5:40 PM
WinfriedSonntag wrote:
Now i think you can create a new certificate with WPP. Publish the new certificate with Group Policies to all Clients/Servers.
You are thinking about self-signed certificates. I am creating a code-signing certificate on my domain Certificate Authority.

DCourtel wrote:
Unfortunately, I never find a list of all conditions that this method check. So, it is very hard to know what's goes wrong.
How do you have made this certificate ? Have you a chain of certificate servers ?
I have 1 CA Server on my domain and that's all it does (Server '08 R2). On this Root CA, I have added 2 Code Signing Templates (the default "Code Signing" one referenced in your documentation & one I titled "Windows Updates" for purposes of signing 3rd party updates). I have tried with both and both give the same results.
I am currently looking through the "Windows Updates" template to see what changes I can make that might help.
I decided to change it from the default of 1 year up to 5 and am considering have it publish to Active Directory.
Purpose: Signature
Allow private key to be exported is checked
Algorithm: RSA
Minimum Key size: 2048
Request hash: SHA1
There are other properties I can check as well for the template but none appear like they would cause any problems.

On the WSUS server ('08 R2) I open the MMC and load the Certificates snap-in as user (Administrator) and Request New Personal Certificate.
AD Enrollment Policy > Select "Windows Updates (Code Signing) & Click Properties
On private Key tab, expand Key Options and check Make private key exportable & strong protection (leave archive option unchecked) & enroll the key
I then right-click the new key & select All Tasks > Export...
yes, export the private key
Leave defaults on file format window (.PFX - all 3 boxes unchecked)
Give it Password
give it a name & export it to an appropriate location.

Normally at this point I would import it to trusted publishers and add it to group policy to be trusted across the domain but as I am just testing Package Publisher's verification algorithm as I am typing this reply, I am skipping ahead to adding this newly exported cert to PP just to see if it will accept it...

Open WSUS Package Publisher.
Check Settings to verify ignore certificate errors is unchecked.
Click Connect/Reload
Click Ok on the error message that says "The certificate is invalid. You will not be able to publish updates."
Tools > Certificate...
Enter Password
Load certificate
Browse to the .pfx file & click open
Get error "Failed to load the certificate. Check the file."

Logically, it seems to me like there is some issue with the certificate templates that it does not like.

I plan to do some more testing with this but if you have any ideas, I would love to hear them. I am thinking about generating a self-signed cert to compare against.

Thanks for your time,

~John
Feb 27, 2015 at 9:00 PM
I tried a few things and still no luck.

The only real differences I am seeing with a PP Self-Signed Cert and a Generated Cert is the Extensions.
The Self-Signed cert only has the "Enhanced Key Usage" extension while the other has many more...
In addition to Enhanced key Usage (which has the same value) there are also these fields:
Certificate Template Information
Key Usage
Application Policies
Subject Key Identifier
Authority Key Identifier
CRL Distribution Points
Authority Information Access
Subject Alternative Name

Perhaps one of these fields is causing a problem but for now I am done. I will try to pick this back up on Monday.

Thanks again
Coordinator
Feb 28, 2015 at 9:09 AM
There is another difference. The self-signed certificate don't rely on another cert to be valid. The problem may be in the cert of the root authority.
Mar 2, 2015 at 5:49 PM
Correct me if I am wrong but if there was a problem with the cert of the Root CA clients wouldn't install any updates signed with any cert generated by the Root CA.

The fact that I can get it all to work just by telling Package Publisher to ignore Cert Errors suggests that the cert itself is fine but rather something in the detection mechanism just doesn't like it.

I suspect the "Key Usage" Extension

The Self-Signed cert does not have a "Key Usage" extension.
Both keys have an "Enhanced Key Usage" Extension with a value of "Code Signing (1.3.6.1.5.5.7.3.3)" but the Root CA Generated key also has "Key Usage" with a value of "Digital Signature (80)" that by default is critical (unchecking critical doesn't help). This should not be a problem unless the detection method is looking for "Code Signing" in the "Key Usage" extension rather than "Enhanced Key Usage".
Mar 3, 2015 at 5:50 PM
I have given up and am now just using a self-signed certificate. I don't particularly like this option but it's not worth the hassle the other way around.

Thanks again for your help.
Marked as answer by WWWolf on 3/3/2015 at 9:50 AM
Jun 16 at 1:32 PM
Hi,
I just stumbled upon the same problem. As far as I realize the Error is related to the existence of an certificate revocation list.

I checked my Certificate with Certutil -f -urlfetch -verify <Crt File> an got a error(?) message, that the certificate could not be checked, because there are no revocation information (Not exactly, but as i understood it is translated from German).

Hope It helps somebody else.

Regards