SVM Patching Plugin Not Loading Correctly [Solved]

Summary

SVM Patching Plugin is installed with an elevated admin account but it fails to load when a web page is refreshed. It displays a '"An error occurred while loading the SVM Plugin" related to signature checksum.

Symptoms

SVM Patching Plugin is installed with an elevated admin account but it fails to load when a web page is refreshed. Internet Explorer displays '"An error occurred while loading the SVM Plugin" related to signature checksum failure.

Cause

This issue occurs because the root certificate of Thawte and Verisign are not installed or are not updated correctly on the local system. There could be some security settings on your system or in your browser settings that prevent the install/update of root certificates from these vendors. 

There could be something blocking the CRL check for these certs.

Steps To Reproduce

Under Patching/Configuration/WSUS/System Center (Disconnected) you get an error message saying "Digital signature could not be verified"

The option 'Configure Upstream Server' is disabled for configuration.

When you hover your mouse over the message "An error occurred while loading the SVM Plugin" additional information on the specific error shows:

Unable to verify checksum signature: 12029
Unable to verify checksum signature: 12038
Unable to verify checksum signature: 12045
Unable to verify checksum signature: 12057

Resolution

Replace with the correct ones, or install from scratch, the following certificates in the Trusted Root Certification Authority store (MMC/...Certificates/Computer Account)
Here are a few ways to do this:

1. You can download the certificates yourself from the vendors' websites or you can download the certs attached to this article.

Certificate Names (there might be more added, check CRL-related articles in the community too):

• Thawte Extended Validation SSL CA
• Thawte Primary Root CA
• VeriSign Class 3 Public Primary Certification Authority - G5
  • VeriSign
  • http://www.symantec.com/content/en/us/enterprise/verisign/roots/roots.zip
  • Generation 5 (G5) PCA should be imported to the trusted root certification authority
    • Thawte
    • https://www.thawte.com/roots/
    • Root 1 should be imported to the trusted root certification authority

2. You can export them from a computer certificates store where you have SVM loading the plugin.
3. You can request them from Flexera Customer Support Center.

Workaround

In the event you have a Proxy server which may be blocking the certificate validation requests of your clients, you may white-list the following entries:

• http://crl.verisign.com
• http://crl.thawte.com
• http://ws.symantec.com
• https://*.secunia.com
• See more...

This should be safe to do and it may release all Clients at once to perform CRL validation. This helps with CRL validation not only to load SVM's patching plugin, but it's also required for Agents connections and Daemon as well. This workaround is a prerequisite and it shall be considered in all cases.