This project has moved and is read-only. For the latest updates, please go here.

Use a real certificate (from CA)

Topics: Configuration Issue, Publishing Issue
Feb 2, 2015 at 10:56 AM
Hi,
I'd like to know if it's possible to load a certificate signed by a CA?
During my test, WPP worked fine with a self-signed certificate. Now I'm going to use this API in production, my company wants to use a certificate signed by our CA. We already have it, but WPP seems to only want to use its self-signed certificate.

When I import it in mmc > Certificates, then I load WPP and try to connect to my local WSUS server, it says there is no certificate.
Is there a way to use my certificate instead of the self-signed one?

Please let me know as quickly as you can.
Thanks
Feb 2, 2015 at 3:36 PM
Edited Feb 2, 2015 at 3:41 PM
Did you try using the "Load a certificate" function in the WPP Certificate Manager (Tools > Certificate...)? You can use it to import a password protected PFX file, the button will by grayed out until you type in a password into the text box near the button. You can export the cert that you've used in mmc > Certificates, and WPP will put it in all the necessary places, if you've missed any.
Feb 2, 2015 at 4:09 PM
OK thank you. My original certificate file is a .crt file. I renamed it in .cer
Now you tell me I need a pfx file?
So with openssl, I've converted my certificate in certificate.pfx. It works well on WPP, no more error to connect to the server.
My question is, what certificate file I have to deploy to my clients computers?

Sorry I'm kinda lost.

Thanks
Feb 2, 2015 at 5:25 PM
Edited Feb 2, 2015 at 5:44 PM
Firstly, make sure that the certificate you created is valid for code signing.

To create the pfx file, export the cert from the Management Console:
  1. Right click cert > all tasks > export...
  2. Click next once, select "Yes, export the private key", click next again
  3. Check the boxed for "Include all certificates in the certification path if possible" and "Export all extended properties".
  4. Select a password to use for this pfx file
  5. Choose a file name
  6. Finish the export
Then in WPP:
  1. Tools > Certificate...
  2. Type the chosen password in the password box
  3. Click "Load a certificate...", press yes if prompted
  4. Find the file and import it
Finally, restart WSUS:
  1. Open Services console
  2. Restart "Update Services"
--or--
  1. Open cmd/run dialog/powershell
  2. run net stop WSUSService & net start WSUSService
Feb 2, 2015 at 6:19 PM
Yes ok I understant this part and it works.
But now, what file I have to add in the clients' stores to communicate with the server?
Feb 2, 2015 at 7:46 PM
Edited Feb 2, 2015 at 10:39 PM
If the clients trust the issuing CA, then you should not have to distribute a certificate to the client stores. The cert needs to be distributed (exported without the public key) if the clients don't trust the issuing CA.

Also, if there are any intermediate certs, make sure they're installed in Intermediate Certification Authorities > Certificates in the certificates console of the WSUS server local computer account, that way it will send the intermediate certs along with the server cert, (sending the whole chain for proper verification). This should have been taken care of by the export/import done earlier, but I haven't tested this on my end specifically. You could also distribute the intermediate cert as a trusted intermediate CA for the clients, but it's more secure to have the clients trust the root CA and send the intermediate certs to the client upon connection.
Feb 2, 2015 at 8:45 PM
Ok. But before seeing if I need to deploy a certificate to my client, I found out my certificate isn't valid for code signing!
It only shows Server Authentification and Client Authentification.
I can't add a purpose, it's grayed out.

Does it mean I have to ask a new certificate with this new purpose?

Thanks for your help!
Feb 2, 2015 at 9:00 PM
Yes, it must be a code signing certificate. And private key must be, at least, 1024 bit length.
Feb 2, 2015 at 10:15 PM
Edited Feb 2, 2015 at 10:17 PM
austinian wrote:
Firstly, make sure that the certificate you created is valid for code signing.
I guess you skipped that step. :)

Generating a certificate that's valid for code signing will depend on the CA you are using.
Apr 2, 2015 at 1:34 PM
Hello,
I finally have my code signing certificate!!
Can you explain me how to install it on my server to publish updates and then to let clients download them?

Thanks a lot.
Apr 2, 2015 at 3:42 PM
It's me again. I've successfully imported the pfx file in the console. I can publish updates.
My clients see the update but I get an error when I try to install it.
Do I have to do something on the client?? (My goal is to only configure parameters on the server)
Apr 2, 2015 at 3:53 PM
HiDoo wrote:
Can you explain me how to install it on my server to publish updates and then to let clients download them?
You will find a documenation for importing certificates: http://wsuspackagepublisher.codeplex.com/documentation
http://www.codeplex.com/Download?ProjectName=WsusPackagePublisher&DownloadId=499803
Apr 2, 2015 at 4:46 PM
Ok so my certificate is up on the server but I get an error when I try to install the update on my client.
Can you help me?
Apr 2, 2015 at 5:30 PM
HiDoo wrote:
Ok so my certificate is up on the server but I get an error when I try to install the update on my client.
Can you help me?
If you want to post the error message, i think it could be possible to help you. OK? :)
Apr 2, 2015 at 7:35 PM
Edited Apr 2, 2015 at 7:53 PM
2015-04-02 20:31:07:457 1088 1028 DnldMgr BITS job {DC791307-9EF1-4C70-A878-50C72F2E4859} completed successfully
2015-04-02 20:31:07:778 1088 1028 Misc Validating signature for C:\Windows\SoftwareDistribution\Download\40f14bfb56c3cc146413561e743e5792\9ed26d98-f97d-4725-b9a2-c284f3e8e4e7_1.cab with dwProvFlags 0x00000080:
2015-04-02 20:31:08:040 1088 1028 Misc Microsoft signed: No
2015-04-02 20:31:08:041 1088 1028 Misc Trusted Publisher: No
2015-04-02 20:31:08:041 1088 1028 Misc WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\Download\40f14bfb56c3cc146413561e743e5792\9ed26d98-f97d-4725-b9a2-c284f3e8e4e7_1.cab are not trusted: Error 0x800b0004
2015-04-02 20:31:08:041 1088 1028 DnldMgr WARNING: VerifyFileTrust on file C:\Windows\SoftwareDistribution\Download\40f14bfb56c3cc146413561e743e5792\9ed26d98-f97d-4725-b9a2-c284f3e8e4e7_1.cab failed with hr = 800b0004.
2015-04-02 20:31:08:044 1088 1028 DnldMgr WARNING: File failed postprocessing, error = 800b0004
2015-04-02 20:31:08:045 1088 1028 DnldMgr Failed file: URL = 'http://server:8530/Content/42/486CE3C18207FF4FE866452F00AE9C8F00E10442.cab', Local path = 'C:\Windows\SoftwareDistribution\Download\40f14bfb56c3cc146413561e743e5792\9ed26d98-f97d-4725-b9a2-c284f3e8e4e7_1.cab'
2015-04-02 20:31:08:045 1088 1028 DnldMgr Error 0x800b0004 occurred while downloading update; notifying dependent calls.
2015-04-02 20:31:08:058 1088 1674 AU >>## RESUMED ## AU: Download update [UpdateId = {56E85F2E-A5B6-450A-8EBD-58E70295137C}]
2015-04-02 20:31:08:058 1088 1674 AU # WARNING: Download failed, error = 0x800B0004
2015-04-02 20:31:08:058 1088 1674 AU #########
2015-04-02 20:31:08:058 1088 1674 AU ## END ## AU: Download updates
2015-04-02 20:31:08:058 1088 1674 AU #############
2015-04-02 20:31:08:059 1088 1674 AU Setting AU scheduled install time to 2015-04-03 01:00:00
2015-04-02 20:31:08:059 1088 1674 AU Successfully wrote event for AU health state:0
2015-04-02 20:31:08:059 1088 1674 AU Currently showing Progress UX client - so not launching any other client
2015-04-02 20:31:08:061 1088 1674 AU Successfully wrote event for AU health state:0
2015-04-02 20:31:08:064 1088 17b0 AU Getting featured update notifications. fIncludeDismissed = true
2015-04-02 20:31:08:064 1088 17b0 AU No featured updates available.
2015-04-02 20:31:09:934 1088 17b0 AU BeginInteractiveInstall invoked for Install
2015-04-02 20:31:09:935 1088 17b0 AU Auto-approved 0 update(s) for install (for Ux), installType=0
2015-04-02 20:31:09:935 1088 17b0 AU WARNING: BeginInteractiveInstall failed, error = 0x8024000C
2015-04-02 20:31:09:935 5060 158c CltUI FATAL: BeginInteractiveInstall for install returned code 8024000C
2015-04-02 20:31:10:001 5060 158c CltUI WARNING: AU directive Interactive Progress is exiting due to error 8024000C
2015-04-02 20:31:10:021 1088 cbc AU AU received handle event
2015-04-02 20:31:10:021 1088 cbc AU UpdateDownloadProperties: 0 download(s) are still in progress.
2015-04-02 20:31:10:022 1088 cbc AU Triggering Offline detection (non-interactive)
2015-04-02 20:31:10:023 1088 cbc AU AU setting pending client directive to 'Install Complete Ux'
2015-04-02 20:31:10:023 1088 cbc AU WARNING: Pending directive, 'Install Complete Ux', is not applicable
2015-04-02 20:31:10:026 1088 cbc AU Successfully wrote event for AU health state:0
2015-04-02 20:31:10:026 1088 cbc AU #############
2015-04-02 20:31:10:026 1088 cbc AU ## START ## AU: Search for updates
2015-04-02 20:31:10:026 1088 cbc AU #########
2015-04-02 20:31:10:029 1088 cbc AU <<## SUBMITTED ## AU: Search for updates [CallId = {A6E57995-FAF4-4D15-8C90-AAA217016FB2}]
2015-04-02 20:31:10:029 1088 e8c Agent *************
2015-04-02 20:31:10:029 1088 e8c Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
2015-04-02 20:31:10:029 1088 e8c Agent *********
2015-04-02 20:31:10:029 1088 e8c Agent * Online = No; Ignore download priority = No
2015-04-02 20:31:10:029 1088 e8c Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
2015-04-02 20:31:10:029 1088 e8c Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2015-04-02 20:31:10:029 1088 e8c Agent * Search Scope = {Machine}
2015-04-02 20:31:12:663 1088 e8c Agent * Added update {56E85F2E-A5B6-450A-8EBD-58E70295137C}.1 to search result
2015-04-02 20:31:12:663 1088 e8c Agent * Found 1 updates and 80 categories in search; evaluated appl. rules of 458 out of 3173 deployed entities
2015-04-02 20:31:12:664 1088 e8c Agent *********
2015-04-02 20:31:12:665 1088 e8c Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]
2015-04-02 20:31:12:665 1088 e8c Agent *************
2015-04-02 20:31:12:693 1088 1674 AU >>## RESUMED ## AU: Search for updates [CallId = {A6E57995-FAF4-4D15-8C90-AAA217016FB2}]
2015-04-02 20:31:12:693 1088 1674 AU # 1 updates detected
2015-04-02 20:31:12:693 1088 1674 AU #########
2015-04-02 20:31:12:693 1088 1674 AU ## END ## AU: Search for updates [CallId = {A6E57995-FAF4-4D15-8C90-AAA217016FB2}]
2015-04-02 20:31:12:693 1088 1674 AU #############
2015-04-02 20:31:12:693 1088 1674 AU Featured notifications is disabled.
2015-04-02 20:31:12:693 1088 1674 AU Setting AU scheduled install time to 2015-04-03 01:00:00
2015-04-02 20:31:12:693 1088 1674 AU Successfully wrote event for AU health state:0
2015-04-02 20:31:12:694 1088 e8c Report REPORT EVENT: {DB558D3C-CC44-47AA-B72B-AC1FFD11BD24} 2015-04-02 20:31:08:058+0200 1 161 101 {56E85F2E-A5B6-450A-8EBD-58E70295137C} 1 800b0004 AutomaticUpdatesWuApp Failure Content Download Error: Download failed.
2015-04-02 20:31:12:695 1088 1674 AU Successfully wrote event for AU health state:0
2015-04-02 20:31:12:752 1088 e8c Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
2015-04-02 20:31:12:752 1088 e8c Report WER Report sent: 7.6.7600.320 0x800b0004 56E85F2E-A5B6-450A-8EBD-58E70295137C Download 101 Managed
2015-04-02 20:31:12:752 1088 e8c Report CWERReporter finishing event handling. (00000000)
2015-04-02 20:31:12:814 1088 6b8 AU Getting featured update notifications. fIncludeDismissed = true
2015-04-02 20:31:12:814 1088 6b8 AU No featured updates available.
2015-04-02 20:31:13:826 1088 cbc AU No pending client directive
2015-04-02 20:31:17:695 1088 e8c Report CWERReporter finishing event handling. (00000000)
Apr 2, 2015 at 8:07 PM
Hi,
2015-04-02 20:31:08:041 1088 1028 Misc WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\Download\40f14bfb56c3cc146413561e743e5792\9ed26d98-f97d-4725-b9a2-c284f3e8e4e7_1.cab are not trusted: Error 0x800b0004
Does your client computer trust your home made certificate ? Looks like the answer is no !
Apr 2, 2015 at 8:12 PM
It's not a home made certificate. I requested it from my CA and I had to wait more than a month to get the code signin format.

Is Wsus Package Publisher able to work without deploying the server certificate to all my clients??
Apr 2, 2015 at 9:17 PM
Can you deploy the code signing certificate in the trusted Publisher cert store on the client machine? Does it work then?

Regards
Norbert
Apr 3, 2015 at 9:11 AM
Yes it works.
But my goal isn't to deploy the cert to all clients. Is there something more to do on the server to make it work?
Plus the cert expires every 3 years so I'd have to redeploy It again and we don't have AD.
Apr 3, 2015 at 10:47 AM
HiDoo wrote:
Yes it works.
But my goal isn't to deploy the cert to all clients. Is there something more to do on the server to make it work?
Plus the cert expires every 3 years so I'd have to redeploy It again and we don't have AD.
But all Clients/Servers need the certificate. Without certificate they can not install updates from WPP.
Apr 16, 2015 at 4:24 PM
HiDoo wrote:
Yes it works.
But my goal isn't to deploy the cert to all clients. Is there something more to do on the server to make it work?
Plus the cert expires every 3 years so I'd have to redeploy It again and we don't have AD.
The root certificate is trusted through the trusted root store. You need the the certificated to be in the trusted publishers store too. Thats why a codesigning certificate from a CA is in this case usually oversized. ;)

Regards
Norbert
Apr 20, 2015 at 2:27 PM
I've reconfigured my WSUS Server in https. I've added the SSL certificate in IIS
So my client can install Windows Update through https://server:8531 I thought this change would let me also install signed updates from WPP. I've imported in WPP my signing code certificat and I've successfully published updates.

Since my clients trust the server through my SSL certificate on port 8531, I really don't understand why they don't trust that same server with the code signing certificate?
Please could you explain me?

Why it's not necessary to deploy a certificate on my client to install Windows updates through 8531 whereas it is for WPP?
Apr 20, 2015 at 7:31 PM
I'm tying to use a signed certificate by our CA and I doesn't work at all. I did everything you documentation and still the application is telling that it failed to load the certificate.
The WSUS server is installed in a different Domain and this domain does not have a Certificate Authority. So I installed the root CA of the authority server that produced the certificate on my WSUS server along with code signing certificate.

Log of WSUS Package Publisher:

2015-04-20 14:09:29 Server
2015-04-20 14:09:29 Entering Void InitializeContextMenuForServer()
2015-04-20 14:09:29 Server Version is : 6.3.9600.16384
2015-04-20 14:09:29 Console Version is : 6.3.9600.16384
2015-04-20 14:09:29 Local OS is : Microsoft Windows NT 6.2.9200.0
2015-04-20 14:09:33 Entering Void certificatToolStripMenuItem_Click(System.Object, System.EventArgs)
2015-04-20 14:09:33 Entering Void .ctor() : FrmCertificateManagement
2015-04-20 14:09:33 Entering Void .ctor()
2015-04-20 14:09:41 Entering Void btnLoad_Click(System.Object, System.EventArgs)
2015-04-20 14:09:41 Entering Boolean IsSureToWantToOverwriteCurrentCertificate()
2015-04-20 14:09:41 Entering Boolean IsSureToWantToOverwriteCurrentCertificate()
2015-04-20 14:09:41 Generate or Load the certificate.
2015-04-20 14:09:47 Will load certificate : C:\Users\xarboure\Desktop\Certificat code 28p\WSUS_PUB.pfx
2015-04-20 14:09:47 Entering Boolean IsValidCertificate(System.String, System.String)
2015-04-20 14:10:02 IsValideCertificate = False
2015-04-20 14:10:32 Entering Void btnOk_Click(System.Object, System.EventArgs)
2015-04-20 14:10:36 Entering Void .ctor() : FrmSendDebugInfo
2015-04-20 14:10:38 Entering Void lnkLblShowInformations_LinkClicked(System.Object, System.Windows.Forms.LinkLabelLinkClickedEventArgs)
Apr 20, 2015 at 9:45 PM
Hi HiDoo,
Since my clients trust the server through my SSL certificate on port 8531, I really don't understand why they don't trust that same server with the code signing certificate?
Please could you explain me?
The certificate for SSL is a server cert, used to identified a computer. Packages needs to be sign with a code signing certificate. To be trusted, the code signing certificate must be present in the "Trusted Publisher" store. And the certificate of the Root Authority that have issued the code signing cert, must be present in the "Root Certificate authorities" store.
Why it's not necessary to deploy a certificate on my client to install Windows updates through 8531 whereas it is for WPP?
Microsoft updates are digitally signed, and their certificates are already in the good stores.
Apr 20, 2015 at 9:51 PM
Hi earbour, you should open your own thread in this forum.
Apr 29, 2015 at 12:52 PM
OK so as I had no choice, I've deployed the certificate to my clients.
I can now publish updates.
This thread can be closed.