2 Replies Latest reply on Jun 26, 2015 2:07 PM by kellytice

    Re-issuing Cert

    ec-umass

      We had to uninstall and reinstall our patch manager console server (DB is on a separate server and stayed the same). But the cert that gets pushed out to the clients seems to have changed and most of the servers are getting an error in the event log stating "“The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.”

       

      I exported the cert from the patch manager server and imported it and it seemed to fix the issue. How do I push this to my 900 clients that are being managed?

       

      Thanks.

        • Re: Re-issuing Cert
          kellytice

          Hmm... changing the Patch Manager console should not have (by itself) changed the cert that is used for 3rd party packaging.    The 'private' portion of that cert lives on the WSUS server in the WSUS certificate store.   The public version is deployed to the Trusted Root Certification Authorities and Trusted Publishers certificate stores on the Patch Manager server(s), the WSUS server, and all the clients that will be receiving 3rd party updates from that WSUS server. 

           

          Basically, when you publish a 3rd party package using Patch Manager to your WSUS server, the WSUS server will "sign" that update with the certificate.  Later, when a machine needs to get that 3rd party update from WSUS (whether it is part of a normal patching cycle or you have used one of our tasks to deploy the update), the target machine needs a copy of that cert so it can confirm that it matches the cert the update was signed with.

           

          So, if the certificate on the WSUS server has changed, you might need to redistribute it, and you can typically use domain Group Policy to do so. The Patch Manager administrator guide has a section on how to distribute the cert to those two certificate stores mentioned earlier using group policy.   There is also a "Certificates Management" task in Patch Manager that you can run against a machine or group of machines to deploy the cert out to the proper stores without using Group Policy.

            • Re: Re-issuing Cert
              kellytice

              Side note:  if your cert on your WSUS server DID change, all previous updates that were published with the OLD cert aren't valid any longer; you would need to either delete them off the WSUS server (if they are no longer needed) or republish them with the option to  "re-sign existing selected packages" checked in the publishing wizard.