Now i think you can create a new certificate with WPP. Publish the new certificate with Group Policies to all Clients/Servers.
You are thinking about self-signed certificates. I am creating a code-signing certificate on my domain Certificate Authority.
Unfortunately, I never find a list of all conditions that this method check. So, it is very hard to know what's goes wrong.
How do you have made this certificate ? Have you a chain of certificate servers ?
I have 1 CA Server on my domain and that's all it does (Server '08 R2). On this Root CA, I have added 2 Code Signing Templates (the default "Code Signing" one referenced in your documentation & one I titled "Windows Updates" for purposes
of signing 3rd party updates). I have tried with both and both give the same results.
I am currently looking through the "Windows Updates" template to see what changes I can make that might help.
I decided to change it from the default of 1 year up to 5 and am considering have it publish to Active Directory.
Allow private key to be exported is checked
Minimum Key size: 2048
Request hash: SHA1
There are other properties I can check as well for the template but none appear like they would cause any problems.
On the WSUS server ('08 R2) I open the MMC and load the Certificates snap-in as user (Administrator) and Request New Personal Certificate.
AD Enrollment Policy > Select "Windows Updates (Code Signing) & Click Properties
On private Key tab, expand Key Options and check Make private key exportable & strong protection (leave archive option unchecked) & enroll the key
I then right-click the new key & select All Tasks > Export...
yes, export the private key
Leave defaults on file format window (.PFX - all 3 boxes unchecked)
Give it Password
give it a name & export it to an appropriate location.
Normally at this point I would import it to trusted publishers and add it to group policy to be trusted across the domain but as I am just testing Package Publisher's verification algorithm as I am typing this reply, I am skipping ahead to adding this newly
exported cert to PP just to see if it will accept it...
Open WSUS Package Publisher.
Check Settings to verify ignore certificate errors is unchecked.
Click Ok on the error message that says "The certificate is invalid. You will not be able to publish updates."
Tools > Certificate...
Browse to the .pfx file & click open
Get error "Failed to load the certificate. Check the file."
Logically, it seems to me like there is some issue with the certificate templates that it does not like.
I plan to do some more testing with this but if you have any ideas, I would love to hear them. I am thinking about generating a self-signed cert to compare against.
Thanks for your time,