Typically this is because the certificate which WSUS uses to sign the updates as they are published to WSUS is not in all the right places.
You may be able to run the Server Publishing Setup Wizard from within the Software Publishing node in Patch Manager to read that cert from the WSUS server and distribute it to the proper certificate stores on the WSUS and Patch Manager servers.
If you prefer or need to use the more manual way:
- Go to the WSUS server.
- Run MMC and add the Certificates snap-in and choose "computer account"
- When that opens, if you have already created a certificate in the past for 3rd party patching, it will be under the \WSUS certificate store. If you get properties on it you will likely see an error on the properties page saying it is not trusted.
- Export that cert from the \WSUS store to a .CER file. Generally, you can just take the defaults on the export wizard and drop it to a file. You may want to look at the Properties on that cert in the \WSUS store so that you can note the serial number of that cert for later reference.
- On the WSUS server, you will want to make sure that a copy of that certificate (which you can verify is the same by checking the serial number) is under both the Trusted Publishers and Trusted Root Certification Authorities certificate stores. If it is not there in one of those stores, then Import it using the .CER file you exported a couple of steps ago.
- On the Patch Manager server you will want to make sure that cert is in those same two stores (Trusted Publishers / Trusted Root Certification Authorities).
So, at the end you will have the cert in 3 different stores on the WSUS server and 2 stores on the Patch Manager server, and you can verify that they are all the same by checking the serial number. Once that is true that error should go away.