WSUS 3.2 File cert verification failed

Lately my WSUS 3.2 (SP2) is stuck trying to download Windows 10 1607 en-us. The WSUS server downloads it and later throws it away (deletes the downloaded files), and the process repeats again and again.

These are the pertinent C:\Program Files\Update Services\LogFiles\SoftwareDistribution.log lines (date and times removed):

Info WsusService.3 CabUtilities.CheckCertificateSignature File cert verification failed for c:\Program Files\Update Services\autest.cab with 2147942402
Info WsusService.3 WsusTestKeys.AreTestKeysAllowed Server test key check: test keys are NOT allowed
Info WsusService.3 CabUtilities.CheckCertificateSignature File cert verification failed for c:\WSUS\WsusContent\19\1D6815948C51D2B9B09AC5A88833DAA875BE6719.esd with 2148204800
Warning WsusService.3 ContentSyncAgent.WakeUpWorkerThreadProc Invalid file deleted: c:\WSUS\WsusContent\19\1D6815948C51D2B9B09AC5A88833DAA875BE6719.esd
Info WsusService.3 ContentSyncAgent.Download Item: 41c6084d-5313-4e66-8a5e-47277c83d6c8 has been submitted to BITS for Download
Info WsusService.3 ContentSyncAgent.WakeUpWorkerThreadProc Processing Item: 25e280c4-040f-456e-a321-5b84a6e3f75a, State: 10
Info WsusService.3 CabUtilities.CheckCertificateSignature File cert verification failed for c:\WSUS\WsusContent\49\47ABC117B9D3DE907B4C72F5D30E2C377BCCD749.esd with 2148204800
Warning WsusService.3 ContentSyncAgent.WakeUpWorkerThreadProc Invalid file deleted: c:\WSUS\WsusContent\49\47ABC117B9D3DE907B4C72F5D30E2C377BCCD749.esd
Info WsusService.3 ContentSyncAgent.Download Item: 25e280c4-040f-456e-a321-5b84a6e3f75a has been submitted to BITS for Download
Info WsusService.3 ContentSyncAgent.WakeUpWorkerThreadProc ContentSyncAgent found no more Jobs, going to Sleep for BITS Notifications
Info WsusService.3 ContentSyncAgent.WakeUpWorkerThreadProc ContentSyncAgent found no more Jobs, going to Sleep for BITS Notifications

BITS job list:

C:\Program Files\Update Services\LogFiles>bitsadmin /list /allusers

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

{2120E160-0B43-407E-BE5B-DDFA14ADBB92} '25e280c4-040f-456e-a321-5b84a6e3f75a' TRANSFERRING 0 / 1 2693150 / 2663509020
{6B8D4926-421D-4EF5-9F9A-B05E1268B882} '41c6084d-5313-4e66-8a5e-47277c83d6c8' QUEUED 0 / 1 3192011 / 2067666288
Listed 2 job(s).  

I have made a copy of the two files in question before they got deleted and tested SHA1 sums against their names. They are OK, no corruption:

root@chtclclserver:~# sha1sum /mnt/chtclcwsus/c/Users/administrator.CHTC/Desktop/*.esd
1d6815948c51d2b9b09ac5a88833daa875be6719  /mnt/chtclcwsus/c/Users/administrator.CHTC/Desktop/1D6815948C51D2B9B09AC5A88833DAA875BE6719.esd
47abc117b9d3de907b4c72f5d30e2c377bccd749  /mnt/chtclcwsus/c/Users/administrator.CHTC/Desktop/47ABC117B9D3DE907B4C72F5D30E2C377BCCD749.esd

It seems that it is a certificate related problem, but I can't find a solution. I updated manually the roots certs, but to no avail.

On http://social.technet.microsoft.com/wiki/contents/articles/4165.file-cert-verification-failure-error-message-on-wsus.aspx there is this list of potential root causes:

1. Certiticate chain issues:

   1. Current root certificate not installed.
   2. Local publishing certificate(s) not installed properly.

2. File issues

   1. Corruption (for any reason) of the file during transfer.
   2. File was corrupt on WSUS USS

1.1 -> I installed the latest rootsupd.exe manually...

1.2 -> I don't have any idea of what "Local publishing certificate(s)" are, how can I install them properly nor how they affect WSUS. At this moment only those two files, belonging to the same update are failing the cert check. the rest of the updates (several GBs) are not giving me trouble.

1.3 and 1.4 -> OK, SHA1 ok, as seen above.

Does anyone knows how to fix this?

No, it's not that. I have already done that before I posted the question. It seems WSUS 3.2 won't allow Upgrades, only WSUS 4 (Server 2012). I've found a couple of blog posts about it. I upgraded to WSUS 4 and it works now.