Month: April 2011

CRL caching in Windows (and a little bit about OCSP caching too)

Posted on Updated on

A very dark topic for many people is CRL caching. It seems unimportant, too technical, not well documented and very difficult. Still, I think it’s important enough to embrace it and I hope you’ll see it’s a little bit easier than you probably think it is. In this article the focus is on Windows XP/Windows Server 2003 and upwards.

You can only understand the workings of CRL caching if you understand basic terms like a certificate, a PKI and a CRL. This article isn’t meant to explain everything about these terms (otherwise I’m actually writing a whole book), but I’m going to give a small introduction to CRLs nevertheless: many people have at least a decent idea about what a certificate or PKI is, but they start sweating from the point they hear terms like “CRL”. That’s why I’ll skip the theory about certificates and PKIs, but on the other hand introduce you to CRLs anyway. So if you don’t know what a certificate or PKI is, this article is above your head. If you do, don’t hesitate to continue, even if the abbreviation CRL doesn’t tell you a thing. After the CRL introduction, which should not be considered a full presentation of the subject, we’ll tackle the CRL caching itself. Be aware I’m only dealing with the X.509 certificate standard here, which is the normal and most common certificate standard abroad. Read the rest of this entry »


Download of an update via SCCM fails with "invalid certificate signature"

Posted on Updated on

When you use the Software Updates features of System Center Configuration Manager (SCCM) and you download one or more updates to a deployment package, it’s possible one or more of those updates failed to download with the error message “Invalid certificate signature”. This means the signature (which is based on a certificate, hence the name “certificate signature”) of the download is invalid.

This is possible because the signature itself is incorrect because the creator or publisher of the update has signed the update incorrectly. This way the source of the update (the creator/publisher) cannot be verified for sure.
Another possibility is the fact that something has changed to the actual content of the update without adapting the signature. This means the integrity of the update is broken, because perhaps some malicious user has changed something to the update!
A third possibility is perhaps the least technical one and perhaps the most forgotten one: something went wrong when downloading the file or storing the file. Perhaps the file stored at MS got just corrupt, or could not be downloaded completely, or got corrupt when stored locally. Causes of these are multiple: bugs in software, hardware problems,… So getting this error message (“”) doesn’t per se means the presence of a virus or a hacker. Read the rest of this entry »

SEP client install fails and rolls back

Posted on Updated on

When you try to install the Sympantec Endpoint Protection (SEP) client, it’s possible it rolls back after being confronted with an error. First everything seems to go smooth till you see the “Rolling back action” appear in the installer’s GUI. Aaargh… Of course the installer doesn’t tell us what exactly went wrong, so we have to find out ourselves. That’s exactly what happened to me. Here’s my story 🙂

First thing to do is checking for events in the Windows event logs. We’re lucky as the following event is logged in the Application event log of Windows: Read the rest of this entry »

RSoP and gpresult result in an access denied error

Posted on Updated on

If you try to run Resultant Set of Policy (RSoP) or gpresult and receives an access denied error, then don’t panic. If you get results for the user part, this means RSoP and gpresult seem to work correctly and you’re probably not an administrator, what explains why you don’t get machine results. If you don’t get any result though, this has probably nothing to do with permissions and then there is a chance this issue is caused by a DLL that’s not registered correctly (anymore) and/or a badly compiled MOF file (meaning RSoP and gpresult don’t work the way they should). First of all, here is a screenshot of the error in RSoP on a WS03 machine for the latter case (corrupt RSoP/gpresult):

Read the rest of this entry »