Secunia CSI7
About us
Careers
Memberships
Newsroom
Contact us
Blog
News
Articles

WSUS signing certificate

Get this blog as an RSS Feed
16:00 CET on the 4th September 2012
Entry written by Secunia.

As a result of a new Microsoft policy, some customers may be required to update their WSUS signing certificates in the near future.

Microsoft is announcing the availability of an update to Windows that restricts the use of certificates with RSA keys less than 1024 bits in length. The private keys used in these certificates can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.  Microsoft is planning to release this non-security update to both Windows Update and WSUS during the October 2012 Patch Tuesday.

CSI requires a certificate to sign the 3rd party updates and that certificate needs to be trusted by all the Windows Update Agent clients. We support two ways to create this signing certificate: Create one from an existing Public Key Infrastructure or create a self-sign certificate through the CSI console. The latter one will call WSUS API to create the self-sign certificate.

If you choose to use a self-sign certificate through WSUS, then you cannot define the key length of the certificate you created. WSUS API will define the key length.

For WSUS 3.0 SP2 without hotfix, the key length will be 512.

For WSUS 3.0 SP2 with hotfix KB2530678, KB2530709 or KB 2720211 (the WSUS hardening update which included the KB2530678 and KB2530709), the key length will be 2048.

If your WSUS server's signing certificate is only 512-bit you will see the following error in WindowsUpdate.log:

Failed to download updates to the WUAgent datastore. Error = 0x80096004

0x80096004 means “The signature of the certificate cannot be verified”.


Recommended actions:

1. Apply WSUS hotfix KB2720211 on all WSUS servers and CSI console systems

2. Remove the existing 512-bit code signing certificate from your WSUS servers

3. Regenerate WSUS code signing certificate through the CSI console

4. Distribute the public code signing certificate throughout your organization

5. Re-publish existing CSI third-party software updates created in the past

 

Please refer to our remediation guide for detailed instructions on completing the steps above.

 

Stay Secure,

Secunia

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: WSUS signing certificate
 
User Message
[+]

jocelin

RE: WSUS signing certificate
This reply has been deleted

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer