You have a couple of things at work here.
First, if the build number reported in the console is 3.2.7600.226 then you've not installed any WSUS patches (KB2720211 or KB2734608), so be sure you're getting the version number from the console itself, and not from the About->Help screen. (See SolarWinds KB4107 for more details.) The Server Publishing Verification Wizard (SPVW) reports that you have '256' on your WSUS server, but only '226' on the Patch Manager server. There is a WSUS console installed on the Patch Manager server also, so whatever update(s) you've installed to your WSUS servers also need to be installed to the Patch Manager server. (Starting with v1.85 we force the installation of KB2734608 to the Patch Manager server.)
Second, with the message that the required certificate is not in the Trusted Publishers or Trusted Root Certificate Authorities store, that would suggest that the upstream server did not (yet?) get updated from the certificate you updated in the GPO, or that the certificate being compared by the SPVW. Since you've visually verified the certificate's presence (and assuming that is the 2048-bit cert -- KB2661254 should have removed the 512-bit cert), it may simply be an issue of caching on the Patch Manager server. From the WSUS Server node of the Patch Manager console (after installing KB2734608), run "Refresh Update Server", and then re-run the Server Publishing Verification Wizard. The PM console caches the WSUS publishing certificate and in all probability it had the 512-bit cert cached, which is, in fact, no longer present in those stores due to the activity of KB2661254. (Also a great case study for doing one change at a time.)
Firstly, thank you for a quick reply.
You are correct and I was getting the version from the WSUS console. When checked through Patch Manager the versions of WSUS on the WSUS servers are showing as '256'. However, whilst viewing the update server I noticed 'Software Publishing Certificate' under the actions pane and upon checking it for each server found that the downstream WSUS server had a different certificate to the other two. I deleted and redistributed the server from all 3 servers and it was still showing this rogue cert on the downstream server. We located it in the WSUS store and have removed it and restarted the server.
Patch Manager is still showing this rogue cert as the publishing certificate for the downstream server, even having refreshed the update server but on running the verification wizard again it is now reporting we are correctly setup for publishing. I have also tried publishing a few packages, but now receive an error advising "The specified item could not be found in the database". Does this relate to the rogue cert being display or is it a different issue?
Thanks so far. Fresh insight has definitely helped with what has felt like hitting my head against a wall for 2 days!
Message was edited by: Chris Hartmann I have successfully been able to publish an update without checking the 'Verify WSUS version compatibility and required signing certificate is distributed' and 'Re-sign existing selected packages' options.
The downstream servers should not have a WSUS store. The fact that they do suggests that at one time a publishing certificate was created for them. Typically the publishing certificate is only created for the upstream server.
Redistributing the cert (from USS to DSS) copies the USS cert (from the WSUS store) into the Trusted Publishers and Trusted Root Certificate Authorities store. The Server Publishing Verification Wizard will validate that these certificates match.
Using the Software Publishing Certificate action on a downstream server should return an <empty> result set. If it does return something this would indicate that there is a WSUS store with a cert (which is not an expected condition). If the WSUS store was deleted, then the cert may still be cached in the PM console. A "Refresh Update Server" should rectify that.
In any event, though, the results from the Verification Wizard would be authoritative. If it says the certs all match, then anything else is superfulous.
It would seem you are right. There is a WSUS store on the DSS, so it would seem that someone has created a certificate for this at some point in the past. Despite having run a "Refresh Update Server" a few times now I am still seeing the old cert being displayed, but as you say the verification wizard is confirming it correctly.
I have confirmed now though that publishing to the USS and synchronisation between USS and DSS is working correctly, so it seems this one has been resolved now.
Again, thanks for your advice it has been hugely appreciated.