This project has moved and is read-only. For the latest updates, please go here.

[Solved] Updates on Client computer fail with Error Code 800B0109

Topics: Publishing Issue
Jul 17, 2013 at 1:02 PM
Edited Jul 18, 2013 at 10:27 AM
I have created update package for Acrobat Reader 10.1 and approved it to a Vista SP2 client.

I have imported WSUS Publisher self-signed cert on the vista client under Trusted Root Certification Authorities, Intermediate Certification Authorities and Trusted Publishers.

I am getting below error :

Adobe Reader 10.1.0
Installation date: ‎7/‎17/‎2013 12:52 PM
Installation status: Failed
Error details: Code 800B0109
Update type: Important
No description available.

windowsupdate log file says :

2013-07-17 12:52:44:238 1068 648 Misc Validating signature for C:\Windows\SoftwareDistribution\Download\b8104bb6424488e05fdc5ef9f7b8657b\93becf169094e894066c35dabd0f829be56fd337:
2013-07-17 12:52:44:379 1068 648 Misc Microsoft signed: No
2013-07-17 12:52:44:379 1068 648 Misc WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\Download\b8104bb6424488e05fdc5ef9f7b8657b\93becf169094e894066c35dabd0f829be56fd337 are not trusted: Error 0x800b0109
2013-07-17 12:52:44:379 1068 648 DnldMgr WARNING: File failed postprocessing, error = 800b0109
2013-07-17 12:52:44:379 1068 648 DnldMgr Failed file: URL = 'http://wsusserver/Content/37/93BECF169094E894066C35DABD0F829BE56FD337.cab', Local path = 'C:\Windows\SoftwareDistribution\Download\b8104bb6424488e05fdc5ef9f7b8657b\93becf169094e894066c35dabd0f829be56fd337'
2013-07-17 12:52:44:379 1068 648 DnldMgr Error 0x800b0109 occurred while downloading update; notifying dependent calls.
2013-07-17 12:52:44:473 1068 ebc AU >>## RESUMED ## AU: Download update [UpdateId = {C8C5E4E4-4C9A-4136-A8D0-93290E70D9A6}]
2013-07-17 12:52:44:473 1068 ebc AU # WARNING: Download failed, error = 0x800B0109
2013-07-17 12:52:44:473 1068 ebc AU #########
2013-07-17 12:52:44:473 1068 ebc AU ## END ## AU: Download updates
2013-07-17 12:52:44:473 1068 ebc AU #############
2013-07-17 12:52:44:488 1068 ebc AU Setting AU scheduled install time to 2013-07-17 22:00:00
2013-07-17 12:52:44:488 1068 ebc AU Currently showing Progress UX client - so not launching any other client
2013-07-17 12:52:44:613 1068 94c AU Getting featured update notifications. fIncludeDismissed = true
2013-07-17 12:52:44:613 1068 94c AU No featured updates available.
2013-07-17 12:52:46:221 1068 94c AU BeginInteractiveInstall invoked for Install
2013-07-17 12:52:46:221 1068 94c AU Auto-approved 0 update(s) for install (for Ux), installType=0
2013-07-17 12:52:46:221 1068 94c AU WARNING: BeginInteractiveInstall failed, error = 0x8024000C
2013-07-17 12:52:46:221 2232 e64 CltUI FATAL: BeginInteractiveInstall for install returned code 8024000C
2013-07-17 12:52:46:221 2232 e64 CltUI WARNING: AU directive Interactive Progress is exiting due to error 8024000C
2013-07-17 12:52:46:221 1068 3cc AU AU received handle event
2013-07-17 12:52:46:221 1068 3cc AU UpdateDownloadProperties: 0 download(s) are still in progress.
2013-07-17 12:52:46:221 1068 3cc AU Triggering Offline detection (non-interactive)
2013-07-17 12:52:46:221 1068 3cc AU AU setting pending client directive to 'Install Complete Ux'
2013-07-17 12:52:46:221 1068 3cc AU WARNING: Pending directive, 'Install Complete Ux', is not applicable
2013-07-17 12:52:46:221 1068 3cc AU #############
2013-07-17 12:52:46:221 1068 3cc AU ## START ## AU: Search for updates
2013-07-17 12:52:46:221 1068 3cc AU #########
2013-07-17 12:52:46:221 1068 3cc AU <<## SUBMITTED ## AU: Search for updates [CallId = {EB229063-08B6-478B-A937-89047EDC4C0A}]
2013-07-17 12:52:46:221 1068 3d4 Agent *************
2013-07-17 12:52:46:221 1068 3d4 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
2013-07-17 12:52:46:221 1068 3d4 Agent *********
2013-07-17 12:52:46:221 1068 3d4 Agent * Online = No; Ignore download priority = No
2013-07-17 12:52:46:221 1068 3d4 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
2013-07-17 12:52:46:221 1068 3d4 Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2013-07-17 12:52:46:221 1068 3d4 Agent * Search Scope = {Machine}
2013-07-17 12:53:06:621 1068 3d4 Agent * Added update {C8C5E4E4-4C9A-4136-A8D0-93290E70D9A6}.1 to search result
2013-07-17 12:53:06:621 1068 3d4 Agent * Found 1 updates and 77 categories in search; evaluated appl. rules of 209 out of 2173 deployed entities
2013-07-17 12:53:06:668 1068 3d4 Agent *********
2013-07-17 12:53:06:668 1068 3d4 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]
2013-07-17 12:53:06:668 1068 3d4 Agent *************
2013-07-17 12:53:06:668 1068 3d4 Report REPORT EVENT: {12709CBC-7991-4D7F-A8E2-DC552BDBB90E} 2013-07-17 12:52:44:473+0100 1 161 101 {C8C5E4E4-4C9A-4136-A8D0-93290E70D9A6} 1 800b0109 AutomaticUpdatesWuApp Failure Content Download Error: Download failed.

2013-07-17 12:53:06:683 1068 ebc AU >>## RESUMED ## AU: Search for updates [CallId = {EB229063-08B6-478B-A937-89047EDC4C0A}]

Jul 17, 2013 at 6:28 PM
Hello VinodReddy,

The most important lines are :
2013-07-17 12:52:44:238 1068 648 Misc Validating signature for C:\Windows\SoftwareDistribution\Download\b8104bb6424488e05fdc5ef9f7b8657b\93becf169094e894066c35dabd0f829be56fd337:
2013-07-17 12:52:44:379 1068 648 Misc Microsoft signed: No
2013-07-17 12:52:44:379 1068 648 Misc WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\Download\b8104bb6424488e05fdc5ef9f7b8657b\93becf169094e894066c35dabd0f829be56fd337 are not trusted: Error 0x800b0109
Please verify :
  • Certificate is in right certificate stores.
  • Certificate is in Computer (this computer) profile store.
  • You have enable TrustedPublisherCertificate : HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AcceptTrustedPublisherCerts = 1
  • You have restart the computer after imorting the certificate.
Try to copy the file from : http://wsusserver/Content/37/93BECF169094E894066C35DABD0F829BE56FD337.cab
to your local disk. Check properties, especially "Numeric signature" tab, select the certificate and clic on 'Detail'.
Jul 18, 2013 at 10:24 AM
Thanks DCourtel,

Reg key did the trick. It did not exist so I have created a DWORD, after which it worked like a charm.
Now the task will be to publish certificate, which can be done by GPo. But regkey will be a bit tricky for XP machines.

How safe is it to add this reg key... any security risks?
Jul 18, 2013 at 11:36 AM
Hi,
But regkey will be a bit tricky for XP machines.
There is a GPO for this setting : "Administration Templates -> Windows Components -> Windows Updatec Components -> 'Allow Signed Content from intranet Microsoft update service location'
any security risks?
This setting allows the WU agent to trust a package that have been signed by a trusted publisher. The certificate must be already in the TrustedPublisherCertificate store, so the risk is very low. To corrupt a machine, an attacker must first import a certificate in this store and then published a fake update in your Wsus (that's mean, know an account that have administrative privilege on tha attacked computer and on Wsus server) !
Jul 19, 2013 at 9:12 AM
Hi,

My bad. Have an old ADMX, have updated it now, will test it today. Hope it will work.

Another question if you dont mind.
I am not able to push Acrobat reader updates. I was following same insctuction as in publishing Reader. Should I be doing anything different?

Many thanks,
Vinod.
Jul 19, 2013 at 9:36 AM
Hi,
I am not able to push Acrobat reader updates. I was following same insctuction as in publishing Reader. Should I be doing anything different?
Please, start a new discussion for this probleme and put a complete description of what you do and what happen.
Sep 3, 2013 at 4:15 PM
Hi Guys,

I have the same prob as mentioned above but all certs in the right directorys. So I think.
Please verify :
Certificate is in right certificate stores.
Certificate is in Computer (this computer) profile store.
You have enable TrustedPublisherCertificate : HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AcceptTrustedPublisherCerts = 1
You have restart the computer after imorting the certificate.
What's meant by point two? My certificate is in the trusted publisher folder aswell as in the trusted certificate authority folder (freely translated ;) ) at our server and one client for testing issues.


My Log:
2013-09-03 16:59:28:651 1008 fec AU #############
2013-09-03 16:59:28:651 1008 fec AU ## START ## AU: Download updates
2013-09-03 16:59:28:651 1008 fec AU #########
2013-09-03 16:59:28:651 1008 fec AU # Approved updates = 1
2013-09-03 16:59:28:651 1008 fec AU AU initiated download, updateId = {B6E3D9C3-A7D5-4AFC-84B1-620703CAA9E9}.2, callId = {F4205188-FABA-46BF-9C0D-C6BEBF80FA91}
2013-09-03 16:59:28:651 1008 fec AU Setting AU scheduled install time to 2013-09-05 02:00:00
2013-09-03 16:59:28:651 1008 fec AU Successfully wrote event for AU health state:0
2013-09-03 16:59:28:651 1008 fec AU Currently showing Progress UX client - so not launching any other client
2013-09-03 16:59:28:667 1008 d30 DnldMgr *************
2013-09-03 16:59:28:667 1008 d30 DnldMgr ** START ** DnldMgr: Downloading updates [CallerId = AutomaticUpdatesWuApp]
2013-09-03 16:59:28:667 1008 d30 DnldMgr *********
2013-09-03 16:59:28:667 1008 d30 DnldMgr * Call ID = {F4205188-FABA-46BF-9C0D-C6BEBF80FA91}
2013-09-03 16:59:28:667 1008 d30 DnldMgr * Priority = 3, Interactive = 1, Owner is system = 0, Explicit proxy = 0, Proxy session id = 1, ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
2013-09-03 16:59:28:667 1008 d30 DnldMgr * Updates to download = 1
2013-09-03 16:59:28:667 1008 d30 Agent * Title = Java 7 Update 25
2013-09-03 16:59:28:667 1008 d30 Agent * UpdateId = {B6E3D9C3-A7D5-4AFC-84B1-620703CAA9E9}.2
2013-09-03 16:59:28:683 1008 d30 DnldMgr *********** DnldMgr: New download job [UpdateId = {B6E3D9C3-A7D5-4AFC-84B1-620703CAA9E9}.2] ***********
2013-09-03 16:59:28:683 1008 d30 DnldMgr * Queueing update for download handler request generation.
2013-09-03 16:59:28:683 1008 d30 DnldMgr Generating download request for update {B6E3D9C3-A7D5-4AFC-84B1-620703CAA9E9}.2
2013-09-03 16:59:28:745 1008 d30 DnldMgr *********** DnldMgr: New download job [UpdateId = {B6E3D9C3-A7D5-4AFC-84B1-620703CAA9E9}.2] ***********
2013-09-03 16:59:28:745 1008 fec AU Successfully wrote event for AU health state:0
2013-09-03 16:59:28:745 1008 fec AU # Pending download calls = 1
2013-09-03 16:59:28:745 1008 fec AU <<## SUBMITTED ## AU: Download updates
2013-09-03 16:59:28:761 1008 fec AU Getting featured update notifications. fIncludeDismissed = true
2013-09-03 16:59:28:761 1008 fec AU No featured updates available.
2013-09-03 16:59:28:885 1008 d30 DnldMgr * BITS job initialized, JobId = {4A67DFAC-8321-4A47-B4D7-CACA05BDC22A}
2013-09-03 16:59:28:963 1008 d30 DnldMgr * Downloading from http://10.1.2.11:8530/Content/A2/83E44A0643C76F99B8D5A1E5C1A418F3015AC6A2.cab to C:\Windows\SoftwareDistribution\Download\a947508375d533852b553315874f5194\1e5cec4d-6673-4181-bf67-b5a2b2e7d75d_1.cab (full file).
2013-09-03 16:59:29:197 1008 d30 Agent *********
2013-09-03 16:59:29:197 1008 d30 Agent ** END ** Agent: Downloading updates [CallerId = AutomaticUpdatesWuApp]
2013-09-03 16:59:29:197 1008 d30 Agent *************
2013-09-03 16:59:32:239 1008 8dc DnldMgr BITS job {4A67DFAC-8321-4A47-B4D7-CACA05BDC22A} completed successfully
2013-09-03 16:59:32:457 1008 8dc Misc Validating signature for C:\Windows\SoftwareDistribution\Download\a947508375d533852b553315874f5194\1e5cec4d-6673-4181-bf67-b5a2b2e7d75d_1.cab:
2013-09-03 16:59:32:567 1008 8dc Misc WARNING: Error: 0x800b0109 when verifying trust for C:\Windows\SoftwareDistribution\Download\a947508375d533852b553315874f5194\1e5cec4d-6673-4181-bf67-b5a2b2e7d75d_1.cab
2013-09-03 16:59:32:567 1008 8dc Misc WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\Download\a947508375d533852b553315874f5194\1e5cec4d-6673-4181-bf67-b5a2b2e7d75d_1.cab are not trusted: Error 0x800b0109
2013-09-03 16:59:32:582 1008 8dc DnldMgr WARNING: File failed postprocessing, error = 800b0109
2013-09-03 16:59:32:582 1008 8dc DnldMgr Failed file: URL = 'http://10.1.2.11:8530/Content/A2/83E44A0643C76F99B8D5A1E5C1A418F3015AC6A2.cab', Local path = 'C:\Windows\SoftwareDistribution\Download\a947508375d533852b553315874f5194\1e5cec4d-6673-4181-bf67-b5a2b2e7d75d_1.cab'
2013-09-03 16:59:32:582 1008 8dc DnldMgr Error 0x800b0109 occurred while downloading update; notifying dependent calls.
2013-09-03 16:59:32:660 1008 e28 AU >>## RESUMED ## AU: Download update [UpdateId = {B6E3D9C3-A7D5-4AFC-84B1-620703CAA9E9}]
2013-09-03 16:59:32:660 1008 e28 AU # WARNING: Download failed, error = 0x800B0109
2013-09-03 16:59:32:660 1008 e28 AU #########
2013-09-03 16:59:32:660 1008 e28 AU ## END ## AU: Download updates
2013-09-03 16:59:32:660 1008 e28 AU #############
2013-09-03 16:59:32:660 1008 e28 AU Setting AU scheduled install time to 2013-09-05 02:00:00
2013-09-03 16:59:32:660 1008 e28 AU Successfully wrote event for AU health state:0
2013-09-03 16:59:32:660 1008 e28 AU Currently showing Progress UX client - so not launching any other client
2013-09-03 16:59:32:660 1008 d30 Report REPORT EVENT: {EC69B3CF-AEC2-4D83-AF03-B748CBCED4F1} 2013-09-03 16:59:32:660+0200 1 161 101 {B6E3D9C3-A7D5-4AFC-84B1-620703CAA9E9} 2 800b0109 AutomaticUpdatesWuApp Failure Content Download Error: Download failed.
2013-09-03 16:59:32:676 1008 e28 AU Successfully wrote event for AU health state:0
2013-09-03 16:59:32:738 1008 d30 Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
2013-09-03 16:59:32:738 1008 d30 Report WER Report sent: 7.6.7600.256 0x800b0109 B6E3D9C3-A7D5-4AFC-84B1-620703CAA9E9 Download 101 Managed
2013-09-03 16:59:32:738 1008 d30 Report CWERReporter finishing event handling. (00000000)
2013-09-03 16:59:32:738 1008 72c AU Getting featured update notifications. fIncludeDismissed = true
2013-09-03 16:59:32:738 1008 72c AU No featured updates available.
2013-09-03 16:59:32:785 1008 fec AU BeginInteractiveInstall invoked for Install
2013-09-03 16:59:32:785 1008 fec AU Auto-approved 0 update(s) for install (for Ux), installType=0
2013-09-03 16:59:32:785 1008 fec AU WARNING: BeginInteractiveInstall failed, error = 0x8024000C
2013-09-03 16:59:32:910 1008 808 AU AU received handle event
2013-09-03 16:59:32:910 1008 808 AU UpdateDownloadProperties: 0 download(s) are still in progress.
2013-09-03 16:59:32:910 1008 808 AU Triggering Offline detection (non-interactive)
2013-09-03 16:59:32:910 1008 808 AU AU setting pending client directive to 'Install Complete Ux'
2013-09-03 16:59:32:910 1008 808 AU WARNING: Pending directive, 'Install Complete Ux', is not applicable
2013-09-03 16:59:32:925 1008 808 AU Successfully wrote event for AU health state:0
2013-09-03 16:59:32:925 1008 808 AU #############
2013-09-03 16:59:32:925 1008 808 AU ## START ## AU: Search for updates
2013-09-03 16:59:32:925 1008 808 AU #########
2013-09-03 16:59:32:925 1008 808 AU <<## SUBMITTED ## AU: Search for updates [CallId = {B6FAFFFB-60DB-4609-9E7A-975C91F78538}]
2013-09-03 16:59:32:925 1008 d30 Agent *************
2013-09-03 16:59:32:925 1008 d30 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
2013-09-03 16:59:32:925 1008 d30 Agent *********
2013-09-03 16:59:32:925 1008 d30 Agent * Online = No; Ignore download priority = No
2013-09-03 16:59:32:925 1008 d30 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
2013-09-03 16:59:32:925 1008 d30 Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2013-09-03 16:59:32:925 1008 d30 Agent * Search Scope = {Machine}

Thanks in advance for some help.

Regards,
treefishy
Sep 3, 2013 at 7:50 PM
Edited Sep 3, 2013 at 7:52 PM
Hi treefishy,
2013-09-03 16:59:32:567 1008 8dc Misc WARNING: Error: 0x800b0109 when verifying trust for C:\Windows\SoftwareDistribution\Download\a947508375d533852b553315874f5194\1e5cec4d-6673-4181-bf67-b5a2b2e7d75d_1.cab
2013-09-03 16:59:32:567 1008 8dc Misc WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\Download\a947508375d533852b553315874f5194\1e5cec4d-6673-4181-bf67-b5a2b2e7d75d_1.cab are not trusted: Error 0x800b0109
Ensure Wsus Certificate is correctly set on the server :
Wsus Server Certificate

Look in the Local Computer Store
  • If you are using your own Code-Signing certificate, it should be present in :
    ◦ The Certificate of the authority who have made this certificate should be in the (Local Computer)\Trusted Root Certification Authority.
    ◦ (Local Computer)\Trusted Publisher.
    ◦ (Local Computer)\Wsus
    .
  • If you are using a Self-Signed Certificate, it should be present in :
    ◦ (Local Computer)\Trusted Root Certification Authority.
    ◦ (Local Computer)\Trusted Publisher.
    ◦ (Local Computer)\Wsus
Ensure the certificate is correctly set on your client :
Client Cert

Look in the Local Computer Store
  • If you are using a Self-Signed Certificate, it should be present in :
    ◦ (Local Computer)\Trusted Publisher.
    ◦ (Local Computer)\Trusted Root Certification Authority.
  • If you are using your own Code-Signing certificate, it should be present in :
    ◦ (Local Computer)\Trusted Publisher.
    ◦ And the Certificate of the authority who have made this certificate should be in the (Local Computer)\Trusted Root Certification Authority.
If all is ok. Open WPP, select the update and copy the URL path. Copy it in Internet Explorer and download the file to the desktop.
Copy URL

Display the properties of the file, go to "Numeric signature' tab :
Signature numérique

Select the cert and click 'Details'.
Cert details

What is the error message ?

Image

Note the serial number of the certificate. Open the certificate of your client (in trusted publishers) and compare the serial number of this certificate with the certificate used to signe the CAB file. Does these equal or different ?
Sep 5, 2013 at 6:14 PM
Wooowww, thanks for you reply.

I found my personal failure -.-
Thanks to your short manual I found out that all the time my policy just installed the certificates to the users account and not our client machines. Thanks a lot.

BTW: The numbers are equal. Of cause :D

Regards,
treefishy
Marked as answer by DCourtel on 10/5/2013 at 5:10 AM
Sep 5, 2013 at 6:52 PM
Edited Sep 30, 2013 at 6:55 PM
installed the certificates to the users account and not our client machines
Good to know. I need to update the "Installation guide", so that admin take care of this detail.
Sep 5, 2013 at 6:56 PM
Would be very helpful for some folks. Even the detail for server 2003 users how to enroll the certificate correctly.
But thank you very much!
Sep 7, 2013 at 3:14 PM
Edited Sep 7, 2013 at 3:15 PM
Hi,
I have the same problem but I don´t see the certificate on Wsus server in Wsus-Certificates store.
I dont know why?


I have windows server 2012, wsus 6.2.9200 and wpp 1.3.1309.3.

Thank you
Sep 7, 2013 at 5:47 PM
Hi, You will not be able to publish until you have a code-signing certificate in the Wsus store.
  • If you have your own Root Authority :
    • Create your own Code-Signing certificate from your PKI server. And export it as a .pfx file.
    • Start WPP locally on the Wsus server.
    • Connect to your Wsus server (ensure that in Setting, the checkbox "Connect to local server" is checked)
    • Go to Tools -> Certificate
    • Enter the password of the certificate.
    • Click on "Load a certificate"
    • Ensure the certificate of the Root authority themselve is present in the "Trusted Root Authorities" store
  • If you don't have your own Root authority :
    • Start WPP (it can be done on a remote computer or directly on the server, it's better if it's on the Wsus server)
    • Connect to your Wsus Server.
    • Go to Tools -> Certificate.
    • Click on "Generate the certificate"
    • RESTART the Wsus server.
Marked as answer by DCourtel on 10/5/2013 at 5:11 AM
Nov 12, 2013 at 10:40 AM
DCourtel wrote:
There is a GPO for this setting : "Administration Templates -> Windows Components -> Windows Updatec Components -> 'Allow Signed Content from intranet Microsoft update service location'

This setting allows the WU agent to trust a package that have been signed by a trusted publisher. The certificate must be already in the TrustedPublisherCertificate store, so the risk is very low. To corrupt a machine, an attacker must first import a certificate in this store and then published a fake update in your Wsus (that's mean, know an account that have administrative privilege on tha attacked computer and on Wsus server) !
Would be very nice, if this on had a place in the documentation.
Nov 12, 2013 at 2:08 PM
Dec 4, 2014 at 11:06 AM
I've been using this product for about a year and would like to share my experience re certificates - I hope this is the right place !
Feel free to change/delete anything that is wrong

1) Self signed certificates are only valid for 365 days.
2) When you generate your new certificate leave the old one in place (ie don't remove it from Group Policy)
3) create your certificate 60 days before the old one expires (you need to get all NON MS updates installed using a valid certificate - updates approved NOW with the old certificate will only be valid until the certificate expires)
4) When you add your new certificate to WPP remember that all updates created from this point on will have the new certificate - any updates sent to WSUS prior to this will have the old certificate - hence point 2 - leave your old certificate in place.
5) Once the old certificate has expired 're-publish' all non MS updates. ie remove them and then put them back with the new certificate.

I hope the above helps
Dec 4, 2014 at 11:20 AM
5) Once the old certificate has expired 're-publish' all non MS updates. ie remove them and then put them back with the new certificate.
No needs to re-publish, just re-sign already published updates (right-click, resign). It's faster.