search cancel

Certificate validation errors cause software update deployment to fail

book

Article ID: 164958

calendar_today

Updated On:

Products

Patch Management Solution

Issue/Introduction

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. Authenticity and integrity of Vendor(s) signed updates need to be verified during the installation process, hence correct certificates should be present on endpoints. 

Software Updates may fail to install on the scheduled Software Update Cycle with errors.

Checked the Windows Compliance by Computer report on the Console > Reports > All Reports > Software > Patch Management > Compliance; confirmed these updates are still Applicable & Vulnerable.

Checked the Software Update Policy for deployment; confirmed the policy is enabled and the advertisements are enabled. 

 

Software Updates fail to install with status (5) and exit code -2146762486 (A certificate chain could not be built) as seen in the following log excerpt: 

AexPatchDeployment tool fails to install update with exit code 192 (The vendor patch file is either not signed, or the file signature fails the validation requested by the content provider) as seen in the following log excerpt:

Cause

Certificates required to validate Software Updates are not installed on endpoints

Environment

Patch Management 8.x

Resolution

View the required certificates in the article, Certificate Listing required for Patch Management Solution

Ensure the Certificate Store on the targeted Client is current per the vendor / software being updated. You can validate this by opening certificate used to sign Software Update binaries located in package folder (default - C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\GUID\cache\ ). Open "Digital Signatures" tab in file properties UI and check that all certificates are validated successfully:

"Certificate status:" should provide details about any issues with the certificate on an endpoint. Make sure it is ok.

To install certificates from Microsoft Root Certificate Program work through the process outlined at http://support.microsoft.com/kb/931125. This should cover most of the certificates used to sign Software Updates.

You can install individual certificates manually. 
Export the certificate used to sign Software Update file:
-    open "Digital Signatures" tab of the file properties
-    open the certificate
-    open "Details" tab of the certificate
-    use "Copy to file…" button 
And use certutil command line tool (https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx) to install the certificate on each endpoint.

 

Alternatively, if you wish to install it manually on an endpoint, the following steps may be used:

Open the Certificates MMC

  1. Start > Run 
  2. Type mmc
  3. Click File > Add/Remove Snap-in
  4. Select Certificates
  5. Select Computer Account and click Next
  6. Click Finish
  7. Click OK

To import Trusted Root Certificate

  1. Expand Certificates Node
  2. Right Click Trusted Root Certificates > All Tasks > Import
  3. Click Next
  4. Browse to the Certificate 
  5. Click Next
  6. Click Finish
  7. Click OK

 

Additional Information

* When you download windows updates and patches, there will be a digital signature bound to the update. If the Microsoft certificates are not installed correctly on notifications server, the updates will not have this digital signature bound to them.

  • Program files\ Altiris\ Patch Management\ Packages\Updates\ > open the update and check the properties of the update.

Attachments