As a result of a new Microsoft policy, some customers may be required to update their WSUS signing certificates in the near future.
Microsoft is announcing the availability of an update to Windows that restricts the use of certificates with RSA keys less than 1024 bits in length. The private keys used in these certificates can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. Microsoft is planning to release this non-security update to both Windows Update and WSUS during the October 2012 Patch Tuesday.
CSI requires a certificate to sign the 3rd party updates and that certificate needs to be trusted by all the Windows Update Agent clients. We support two ways to create this signing certificate: Create one from an existing Public Key Infrastructure or create a self-sign certificate through the CSI console. The latter one will call WSUS API to create the self-sign certificate.
If you choose to use a self-sign certificate through WSUS, then you cannot define the key length of the certificate you created. WSUS API will define the key length.
For WSUS 3.0 SP2 without hotfix, the key length will be 512.
For WSUS 3.0 SP2 with hotfix KB2530678, KB2530709 or KB 2720211 (the WSUS hardening update which included the KB2530678 and KB2530709), the key length will be 2048.
If your WSUS server's signing certificate is only 512-bit you will see the following error in WindowsUpdate.log:
Failed to download updates to the WUAgent datastore. Error = 0x80096004
0x80096004 means “The signature of the certificate cannot be verified”.
1. Apply WSUS hotfix KB2720211 on all WSUS servers and CSI console systems
2. Remove the existing 512-bit code signing certificate from your WSUS servers
3. Regenerate WSUS code signing certificate through the CSI console
4. Distribute the public code signing certificate throughout your organization
5. Re-publish existing CSI third-party software updates created in the past