WSUS 3.2 File cert verification failed

Lately my WSUS 3.2 (SP2) is stuck trying to download Windows 10 1607 en-us. The WSUS server downloads it and later throws it away (deletes the downloaded files), and the process repeats again and again.

These are the pertinent C:\Program Files\Update Services\LogFiles\SoftwareDistribution.log lines (date and times removed):

Info WsusService.3 CabUtilities.CheckCertificateSignature File cert проверка не удалась для c: \ Program Files \ Update Services \ autest.cab с 2147942402
Информация WsusService.3 WsusTestKeys.AreTestKeysAllowed Тестовый ключ сервера проверьте: тестовые ключи НЕ допускаются
Информация WsusService.3 CabUtilities.CheckCertificateSignature Сертификат файла проверка не удалась для c: \ WSUS \ WsusContent \ 19 \ 1D6815948C51D2B9B09AC5A88833DAA875BE6719.esd с 2148204800
Предупреждение WsusService.3 ContentSyncAgent.WakeUpWorkerThreadProc Недопустимый файл удален: c: \ WSUS \ WsusContent \ 19 \ 1D6815948C51D2B9B09AC5A88833DAA875BE6719.esd
Информация WsusService.3 ContentSyncAgent.Download Элемент: 41c6084d-5313-4e66-8a5e-47277c83d6c8 был отправлен в BITS для Загрузить
Информация WsusService.3 ContentSyncAgent.WakeUpWorkerThreadProc Processing Пункт: 25e280c4-040f-456e-a321-5b84a6e3f75a, состояние: 10
Info WsusService.3 CabUtilities.CheckCertificateSignature File cert verification failed for c:\WSUS\WsusContent\49\47ABC117B9D3DE907B4C72F5D30E2C377BCCD749.esd with 2148204800
Warning WsusService.3 ContentSyncAgent.WakeUpWorkerThreadProc Invalid file deleted: c:\WSUS\WsusContent\49\47ABC117B9D3DE907B4C72F5D30E2C377BCCD749.esd
Info WsusService.3 ContentSyncAgent.Download Item: 25e280c4-040f-456e-a321-5b84a6e3f75a has been submitted to BITS for Download
Info WsusService.3 ContentSyncAgent.WakeUpWorkerThreadProc ContentSyncAgent found no more Jobs, going to Sleep for BITS Notifications
Info WsusService.3 ContentSyncAgent.WakeUpWorkerThreadProc ContentSyncAgent found no more Jobs, going to Sleep for BITS Notifications

BITS job list:

C:\Program Files\Update Services\LogFiles>bitsadmin /list /allusers

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

{2120E160-0B43-407E-BE5B-DDFA14ADBB92} '25e280c4-040f-456e-a321-5b84a6e3f75a' TRANSFERRING 0 / 1 2693150 / 2663509020
{6B8D4926-421D-4EF5-9F9A-B05E1268B882} '41c6084d-5313-4e66-8a5e-47277c83d6c8' QUEUED 0 / 1 3192011 / 2067666288
Listed 2 job(s).  

I have made a copy of the two files in question before they got deleted and tested SHA1 sums against their names. They are OK, no corruption:

root@chtclclserver:~# sha1sum /mnt/chtclcwsus/c/Users/administrator.CHTC/Desktop/*.esd
1d6815948c51d2b9b09ac5a88833daa875be6719  /mnt/chtclcwsus/c/Users/administrator.CHTC/Desktop/1D6815948C51D2B9B09AC5A88833DAA875BE6719.esd
47abc117b9d3de907b4c72f5d30e2c377bccd749  /mnt/chtclcwsus/c/Users/administrator.CHTC/Desktop/47ABC117B9D3DE907B4C72F5D30E2C377BCCD749.esd

It seems that it is a certificate related problem, but I can't find a solution. I updated manually the roots certs, but to no avail.

On http://social.technet.microsoft.com/wiki/contents/articles/4165.file-cert-verification-failure-error-message-on-wsus.aspx there is this list of potential root causes:

1. Certiticate chain issues:

   1. Current root certificate not installed.
   2. Local publishing certificate(s) not installed properly.

2. File issues

   1. Corruption (for any reason) of the file during transfer.
   2. File was corrupt on WSUS USS

1.1 -> I installed the latest rootsupd.exe manually...

1.2 -> I don't have any idea of what "Local publishing certificate(s)" are, how can I install them properly nor how they affect WSUS. At this moment only those two files, belonging to the same update are failing the cert check. the rest of the updates (several GBs) are not giving me trouble.

1.3 and 1.4 -> OK, SHA1 ok, as seen above.

Does anyone knows how to fix this?