This document is meant to provide some basic information about how to re-sign updates that have been previously published to WSUS, but may need a new digital signature due to changing certificates.
If you change the certificate used for WSUS, the client systems will now accept any updates that are signed with the new digital certificates, but you may have older updates already published which are still signed with the previous digital signature. In this scenario, the updates will fail to deploy on the client systems as the client does not recognize the digital certificate.
The Shavlik Patch plugin currently does not have a feature to re-sign updates when publishing, however, this can be done via System Center Update Publisher (SCUP).
Here's how to do it:
1) In SCUP, ensure you have the latest .cabs from Shavlik imported. You can manually download the .cabs by loggin into https://protectcloud.shavlik.com/.
2) Select any updates you need to re-sign, then choose to Publish.
3) On the 'Publish Options' make sure to select 'Full Content', and make sure to check the box for 'Sign all software updates with a new publishing certificate when published software updates have not changed but their certificate has changed.'
4) Finish through the steps of publishing to complete the process.
Microsoft has a video on how to re-sign updates, here.
SCUP 2011 can be downloaded here.
Shavlik Patch for Microsoft System Center