After some discussion on the SCCM email list about the best and most correct way to applying a Microsoft PKI to System Center Updates Publisher, it seems the post by Jason Lewis (Microsoft) may have a missed a couple crucial steps. Even after using this, some folks still had issues.
myITforum’er John Marcum ended up locating a better post that includes a couple additional steps than the Microsoft post. Here’s what John had to say…
Having followed the directions blogged by Jason Lewis on this page http://blogs.technet.com/b/jasonlewis/archive/2011/07/12/system-center-updates-publisher-signing-certificate-requirements-amp-step-by-step-guide.aspx I was unable to publish updates. I ran across this blog http://mikeshellenberger.wordpress.com/2010/09/02/system-center-updates-publisher-microsoft-pki/ which lists two steps not in Jason’s blog. Keep this in mind if you are changing your SCUP cert to get it to 2048.
7.) The next step is crucial and one that is not really documented other then a forum post that hints to this. Click on the Extensions tab, then highlight the Application Policies and click Edit.
8.) Remove all the Application Policies from the list. This is VERY IMPORTANT. SCUP will not publish the updates properly if you use a certificate that contains an Application Policy Extension. You will end up with the following error message in your UpdatesPublisher.log file: Exception occurred during publishing: Verification of file signature failed for file: This message stumped me for awhile and I tried multiple certificates until I found a forum post suggesting the Server Authentication application policy extension causes the issue.