Imported Certificate Replaced by Self-Signed Certificate
Symptom
This issue is usually discovered through a process similar to the following:
- You have successfully imported a custom certificate as your WSUS signing certificate and distributed it throughout your environment to facilitate deployment of third-party patches.
- You suddenly find that recently published updates are failing with an error related to the signing certificate not being trusted.
- You investigate and find your signing certificate is now set to a WSUS self-signed cert instead of your custom one.
- You re-import your certificate and republish affected patches.
- The next time you publish and deploy patches, you find the same issue again.
Cause
This issue is almost certainly caused by a specific configuration within the Software Update Point(s) properties in Configuration Manager when the 'Enable third-party software updates' option is checked under Administration > Site Configuration > Sites > Right-click the site > Configure Site Components > Software Update Point > Third-Party Updates. If the 'Configuration Manager manages the certificate' option is checked as below, this means that Configuration Manager will check the signing certificate with every WSUS sync, and if it is not a WSUS self-signed certificate, it will replace it with a self-signed certificate.
Solution
There are two options to resolve this issue:
- Disable the option for third-party updates there entirely. (this option is NOT necessary to support third-party updates through the Lenovo Patch plugin)
OR - Choose the option to 'Manually manage the certificate'.
Either of these options will stop the Configuration Manager console from overwriting the existing certificate and allow you to keep signing updates with your custom certificate as intended.
Related Articles
Error: 800B0101 - Code Signing Certificate Expired
Symptom In the console, when monitoring a deployment OR On a client, in Software Center OR An error in the Configuration Checker The deployed software returns the error: 800b0101. The error translates to "A required certificate is not within its ...Error Accessing the WSUS Signing Certificate
Symptom The Configuration Checker returns a failure on the check 'A WSUS Signing Certificate is in place and can be accessed by the user' with a detail of 'Error accessing the WSUS signing certificate. The certificate does not exist or your account ...URL Exception List and Certificate Verification Sites
Purpose This tip provides a list of web addresses that may be required to download catalogs, updates, or content when using Lenovo Patch. Description URLs for Lenovo Patch functionality and to access content from the Lenovo Updates Catalog. ...Getting Started with ThinkShield BuildAssure
ThinkShield BuildAssure Web Portal Home Page The ThinkShield BuildAssure Web Portal Home page provides users with the ability to download BuildAssure files for individual or multiple devices. Additionally, the Download Center on the portal enables ...Error: A certificate chain could not be built to a trusted root authority
Symptom Certificate errors are returned when validating update content downloaded by Lenovo Patch. Error details contain: "A certificate chain could not be built to a trusted root authority" Cause Specific URLs are required to be allowed through ...