Kepware The Installer Was Unable To Find Required Root Certificates Exclusive -

Troubleshooting the Kepware Error: "The installer was unable to find required root certificates"

If you are trying to install or update Kepware’s KEPServerEX and you’re hit with the error "The installer was unable to find required root certificates," you aren't alone. This is a common roadblock, especially on industrial PCs (IPCs) or servers that are kept offline for security reasons. Why Is This Happening?

Modern software installers use digital signatures to prove they haven't been tampered with. Kepware uses certificates issued by authorities like DigiCert or Sectigo.

When you run the installer, Windows tries to verify these signatures. If your operating system is missing the specific "Root Certificates" needed to validate those signatures—and the computer cannot connect to the internet to download them automatically—the installer will abort to protect the system. Solution 1: The "Quick Fix" (Internet Access)

If the machine can be temporarily connected to the internet: Connect the machine to the web. Run the Kepware installer again.

Windows will automatically reach out to the Microsoft Root Certificate Program in the background, download what it needs, and the error should vanish. Solution 2: Manual Certificate Update (Offline Method)

Since many Kepware instances run on isolated OT (Operational Technology) networks, you likely need to move the certificates manually using a USB drive. Step 1: Identify the Missing Certificate

Usually, the installer is looking for the DigiCert Trusted Root G4 or a similar modern root. You can check which one is missing by right-clicking the Kepware .exe file, selecting Properties > Digital Signatures > Details > View Certificate. Step 2: Download the Roots from a Connected PC On a computer with internet access: Go to the DigiCert Trusted Root Authority page.

Download the DigiCert Trusted Root G4 (or the specific one identified in Step 1) in .crt or .der format. Step 3: Install on the Offline Machine Move the file to the offline server. Double-click the certificate and click Install Certificate. Choose Local Machine.

Crucial Step: Do not let Windows "Automatically select the certificate store." Instead, choose Place all certificates in the following store and browse to Trusted Root Certification Authorities. Finish the import and restart the Kepware installer. Solution 3: Update via Windows Update (WSUS)

If your company uses a WSUS (Windows Server Update Services) server to manage updates:

Ensure that Root Certificate Updates are approved for your group of industrial computers.

Many admins disable these to "harden" the system, but it frequently breaks installers for signed drivers and industrial software. Summary for Success

The "exclusive" nature of this error means the installer is strictly enforcing security. By manually placing the DigiCert or Sectigo roots into the Trusted Root Certification Authorities store, you satisfy the installer’s security check without needing to compromise your air-gapped network.

Are you running this on an older version of Windows like Server 2012 or Windows 7, which might require a specific KB update for code signing?

The error message "The Installer was unable to find required root certificates" typically occurs during the installation or upgrade of Kepware products (such as KEPServerEX) when the Windows operating system lacks the necessary digital signatures to verify the installer's authenticity. This is common on systems without internet connectivity, those where Windows Updates are disabled, or older versions like Windows 7. Core Causes

Offline Systems: Windows cannot perform a "Root AutoUpdate" to fetch the latest certificates from Microsoft.

Restricted Group Policies: Policies may explicitly disable automatic root certificate updates via registry settings like DisableRootAutoUpdate.

Outdated OS: Systems like Windows 7 or unpatched versions of Windows Server 2016 often lack the modern GlobalSign, VeriSign, or Microsoft root certificates required by the Kepware bootstrap. Primary Solutions

Apply Windows Updates: The most direct fix is to connect the machine to the internet and run all pending Windows Updates to automatically refresh the certificate store.

Manual Certificate Installation: If updates are not possible, you must manually import the missing root certificates into the Trusted Root Certification Authorities store for the Local Machine.

Check Registry Settings: Ensure that HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate is not set to 1. Step-by-Step Manual Import Process

If you have obtained the required .cer or .crt files from PTC Support, follow these steps: Using Certificate Manager:

Open the Run dialog (Win + R), type certmgr.msc, and press Enter.

Right-click Trusted Root Certification Authorities > All Tasks > Import. Select Local Machine as the store location. Browse for your certificate file and complete the wizard. Using Command Line: Run the Command Prompt as an Administrator. Execute: certutil -addstore "Root" . Common Troubleshooting Scenarios Recommended Action Windows 7 Systems

Updates may no longer be available; contact support for a manual certificate package or request an older, compatible version of Kepware. Bootstrap Log Errors

Check logs at C:\Program Files (x86)\Kepware\KEPServerEX\bootstrap.log. Look for error code 0x65B, which confirms missing GlobalSign or VeriSign roots. OPC UA Trust Issues Troubleshooting the Kepware Error: "The installer was unable

If the installer finishes but connections fail, use the OPC UA Configuration Manager to swap and trust client/server certificates.

When running the KEPServerEX or PTC Kepware products installer, the error message "The Installer was unable to find required root certificates" typically occurs because the host operating system lacks up-to-date certificate authorities required to verify the installer's digital signature. This is common on legacy systems like Windows 7 or servers that have been offline and missed critical Windows Updates. Core Reasons for Failure

Missing Trust Chain: The installer is signed by authorities such as GlobalSign, VeriSign, or Microsoft. If their root certificates are not in the "Trusted Root Certification Authorities" store, the system views the installer as untrusted.

Outdated OS: Systems that cannot reach Windows Update often lack the latest Certificate Revocation Lists (CRLs) and new root certificates.

Security Policies: Strict environment policies might prevent the automatic update of root certificates. Solutions and Technical Steps To resolve this, you can use the following methods:

Run Windows Update: The primary solution recommended by PTC is to apply all pending Windows Updates, which naturally refreshes the root certificate store.

Manual Certificate Installation: If the machine is offline, you must manually import the missing certificates.

Identify the missing certificate (e.g., GlobalSign or Microsoft) from the bootstrap.log file located in the Kepware installation directory.

Use the Microsoft Management Console (MMC) to add the Certificates snap-in for the Local Computer.

Import the required .cer files into the Trusted Root Certification Authorities folder. Community & Support Guidance:

Discussions on the PTC Community suggest that while manual installation works for some, others may need to contact support for a specific "root certificate pack" if they are on an unsupported OS version.

Alternative perspectives on Google Groups indicate that in some stubborn cases, even manual imports fail, requiring a direct support ticket for a remote session.

Official documentation from PTC Support confirms that this is a known issue for version 6.x and higher when digital signatures cannot be verified.

This error typically occurs when your system lacks the updated root certificates required to verify the digital signature of the KEPServerEX installer. It is most common on machines without active internet access or those with disabled Windows Updates.

Fixed: Kepware "Installer was unable to find required root certificates"

If you are trying to install or upgrade KEPServerEX and hit the wall with a "Missing Root Certificates" error, you aren't alone. This safeguard ensures that the installer you are running is authentic and hasn't been tampered with. Why this happens

Modern Kepware installers (v5.20 to v7.x) are digitally signed. During installation, Windows tries to verify this signature against a list of trusted Certificate Authorities (CAs), such as GlobalSign or VeriSign. If your OS cannot find these certificates—often because it hasn't received a Windows Update in a long time—the installer fails to protect you from potentially untrusted software. Step-by-Step Solutions Method 1: The Quick Fix (Run Windows Update) The simplest solution is to let Windows update itself. Go to Settings > Update & Security > Windows Update. Click Check for updates.

Once the system is fully updated, restart your computer and try the Kepware installation again. Method 2: Manual Certificate Import (For Offline Machines)

If your server is in an offline environment (OT network), you must manually import the required certificates. You will need to obtain the latest .cer files from a machine that does have internet access.

Open Certificate Manager: Press Win + R, type certmgr.msc, and hit Enter.

Locate the Store: Right-click Trusted Root Certification Authorities > All Tasks > Import.

Import the Root: Follow the wizard to import the missing certificates (typically GlobalSign or Microsoft Root CAs).

Repeat for "Third-Party Root CAs": Ensure the certificates are also present in the Third-Party Root Certification Authorities store. Method 3: Verify the Installer Digital Signature

Before you spend time on certificates, make sure the installer file itself isn't corrupt: Right-click the .exe installer and select Properties. Go to the Digital Signatures tab. Select the signature and click Details.

If it says "This digital signature is OK," your system just needs the root certificates mentioned above. If it says it's invalid, download a fresh copy from the PTC Kepware website. Pro-Tip for Industrial Environments

In many plants, Windows Update is permanently disabled to prevent unexpected reboots. To avoid this error in the future, include Root Certificate Updates as part of your standard server "hardening" or commissioning checklist before moving equipment to the production floor. Conclusion: Dominate the Certificate Error The error "The

Are you seeing specific error codes like 0x65B in your bootstrap logs? Identifying the exact missing certificate can help speed up the manual import process.

This error typically occurs when the Kepware installer cannot verify the digital signatures of its own installation files because the host operating system is missing essential root certificates. This is common on systems that are offline or have not received recent Windows Updates. Quick Fixes

Apply Windows Updates: The most direct solution is to run Windows Update on the machine. This automatically refreshes the Trusted Root Certification Authorities store.

Enable Automatic Root Updates: Ensure your system isn't blocking certificate updates:

Open regedit and navigate to: HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot. Ensure DisableRootAutoUpdate is set to 0.

Manual Certificate Installation: If the machine must remain offline, you can manually import the required certificates from a machine that has them:

Identify the missing certificate (often a VeriSign or DigiCert root used for code signing).

Right-click the certificate file and select Install Certificate.

Choose Local Machine and place it specifically in the Trusted Root Certification Authorities store.

Use Command Line (Admin): You can also use the certutil tool to add certificates: Run Command Prompt as Administrator. Execute: certutil -addstore "Root" . Troubleshooting

If the error persists after these steps, check the installation logs located at C:\Program Files (x86)\Kepware\KEPServerEX\bootstrap.log for specific certificate thumbprints that are failing. You may also find detailed guidance on the PTC Support Portal regarding this specific installer failure. The Installer was unable to find required root certificates

Conclusion: Dominate the Certificate Error

The error "The installer was unable to find required root certificates" is not a bug in Kepware but a reflection of Windows' evolving security model. As cyber-attacks on supply chains increase, code signing becomes more rigorous, and outdated Windows builds are left behind.

By following the methods in this guide—especially the manual import of root certificates for air-gapped networks—you can bypass this roadblock in minutes.

Final Checklist When You See This Error:

  • [ ] Is the system date/time correct?
  • [ ] Does the machine have internet? (If yes, run Windows Update).
  • [ ] Is TLS 1.2 enabled?
  • [ ] If air-gapped: Have you manually imported the DigiCert/Sectigo root CAs?

Solve the certificate problem, and you’ll be back to connecting your industrial devices in no time.

Need further assistance? Contact PTC Kepware support with the installer log file (located in %temp%/PTC_Kepware_Install.log).

Best Practices for Industrial Systems

To prevent this issue in the future, system administrators managing SCADA or HMI servers should:

  • Maintain a Patch Schedule: Even air-gapped systems should receive periodic Windows updates via WSUS servers or portable media to ensure security certificates remain valid.
  • Image Management: When deploying new machines, ensure the "Golden Image" includes the latest Windows updates and certificate stores to avoid legacy certificate issues.

Kepware: "The installer was unable to find required root certificates (exclusive)" — Diagnosis and Fixes

Summary

  • This error typically occurs when the Kepware installer (or a component it depends on) cannot locate or validate required root CA certificates during setup, often due to system certificate store issues, missing Windows updates, restricted network access, or policies that block certificate installation or lookup. Below are diagnostic steps, root causes, and corrective actions to resolve the problem.
  1. What the error means
  • During installation, Kepware validates digital signatures and TLS chains for components, drivers, or downloaded packages. If the installer cannot locate the expected root certificate(s) in the machine’s trusted root certificate store (or cannot access CRL/OCSP checks), it reports a failure such as “unable to find required root certificates (exclusive).” “Exclusive” indicates a strict requirement for a specific certificate chain (no fallback).
  1. Common root causes
  • Missing or corrupted trusted root certificates in Windows Certificate Store.
  • System blocked from contacting Microsoft/CA revocation/issuance endpoints (offline environment, proxy, or firewall).
  • Corporate Group Policy or endpoint security that removes or restricts access to the local machine Trusted Root Certification Authorities store.
  • Out-of-date Windows updates or missing Trusted Root Certificate Program updates.
  • Installer running without sufficient privileges to read the certificate store.
  • Custom or private CA used by Kepware components not pre-installed on the host.
  • Corrupted Windows Crypto services or certificate store permissions.
  1. Quick checks (run before deeper troubleshooting)
  • Confirm you’re running the installer as an administrator (right-click → Run as administrator).
  • Verify Windows date & time are correct.
  • Check Internet access from the machine (can you reach https://www.microsoft.com and common CA endpoints).
  • Temporarily disable (or test with) antivirus / endpoint protection that may block certificate operations.
  • Reboot and retry the install.
  1. Inspect certificate store and required certificates
  • Open certmgr.msc (Current User) and certlm.msc (Local Computer) to inspect trusted stores.
    • In certlm.msc → Trusted Root Certification Authorities → Certificates: verify typical Microsoft root CAs (e.g., “Microsoft Root Certificate Authority” entries) and major public CA roots (DigiCert, GlobalSign, Let’s Encrypt, etc.) are present.
  • If Kepware provided a specific certificate name in logs, search for that subject name in both Local Computer and Current User stores.
  1. Check installer logs (where to find them)
  • Locate Kepware installation logs (commonly in %TEMP% or in program-specific log paths). Look for entries mentioning certificate validation, missing thumbprint, or CN.
  • Note any specific root certificate thumbprint or subject the installer expects.
  1. Network and revocation checks
  • If machine cannot reach revocation endpoints, the installer may fail certificate validation.
    • Test: from the machine run PowerShell:
      • Test-NetConnection -ComputerName crl.globalsign.net -Port 80
      • Test-NetConnection -ComputerName ocsp.digicert.com -Port 80 (replace with CA endpoints from logs)
    • If blocked, allow outbound HTTP(S) to relevant CRL/OCSP/CA endpoints or configure proxy for the installer.
  1. Fixes and remediation steps

A. Restore/update Windows Trusted Root Certificate store

  • Ensure Windows Update service is enabled and up-to-date. Install latest Windows updates and the “Update for Root Certificates” if applicable.
  • Manually import missing root certificates:
    • Obtain the required root CA certificate (from vendor or CA website).
    • Open certlm.msc → Trusted Root Certification Authorities → Right-click → Import → follow wizard → place in Trusted Root Certification Authorities (Local Machine).
    • Re-run installer.

B. Fix permissions or Group Policy restrictions

  • Check Group Policy: Computer Configuration → Windows Settings → Security Settings → Public Key Policies → Trusted Root Certification Authorities.
  • If policies are removing or pointing to an alternative store, consult your AD admin to allow the required roots for the machine or to whitelist the installer’s operations.

C. Enable Windows Crypto services

  • Ensure the “Cryptographic Services” service is running (services.msc → Cryptographic Services → set to Automatic and Start).
  • Restart service after making changes.

D. Run installer with elevated privileges and logging

  • Right-click installer → Run as administrator.
  • Use verbose logging if supported (check product docs) and review certificate validation entries.

E. Workaround for offline/private CA environments

  • If the environment uses an internal CA, import the issuing and root CA certificates into the Local Computer Trusted Root and Intermediate Certification Authorities stores before installation.
  • If network isolation prevents revocation checks, import the needed certificates and consider temporarily allowing access to CA revocation endpoints during installation.

F. Reinstall or repair Windows Root Certificate Program

  • In extreme cases where system certificate store is corrupted, repairing Windows or reverting to a known-good image may be required. Contact system admin or Microsoft support.
  1. Specific items for Kepware/OPC scenarios
  • Kepware often uses signed drivers and TLS; ensure any OPC UA endpoints or Kepware-supplied components that expect a particular CA have that CA installed.
  • If using Kepware in managed/enterprise deployments, include required CA certificates in the deployment image or installer script.
  1. When to contact support
  • If logs show a specific root certificate thumbprint or certificate subject that you cannot locate or validate.
  • If policy or security blocks prevent changes to the certificate store.
  • If after importing the correct roots and enabling network access the installer still fails — collect installer log and certificate store exports and contact Kepware support with:
    • Installer log file
    • Exported certificate lists (from certlm.msc) of Trusted Root and Intermediate stores
    • Windows version and recent update status
  1. Minimal verification checklist to resolve the issue
  • [ ] Run installer as Administrator
  • [ ] Confirm correct system date/time
  • [ ] Cryptographic Services running
  • [ ] Required root CA(s) present in Local Machine → Trusted Root Certification Authorities
  • [ ] Outbound access to CA revocation/OCSP/CRL endpoints allowed or required certs imported for offline use
  • [ ] No Group Policy or endpoint protection blocking certificate access
  • [ ] Reboot and re-run installer; capture logs if failure persists

If you want, I can draft a PowerShell script to (1) check for presence of common root CAs, (2) test connectivity to common CRL/OCSP endpoints, and (3) import a provided root certificate into the Local Machine Trusted Root store.

This error typically occurs when the Kepware installer cannot verify its own digital signature because the operating system is missing the latest Trusted Root Certificates. This is common on offline machines or systems where Windows Update is disabled. 🛠️ Immediate Fixes [ ] Is the system date/time correct

Update Windows: Run Windows Update to automatically pull the latest certificate store from Microsoft.

Manual Install: If the machine is offline, you must manually import the required certificates (often GlobalSign or DigiCert roots).

Check Date/Time: Ensure the system clock and time zone are correct; incorrect dates cause certificate validation to fail. 📥 Step-by-Step Manual Import

If you cannot use Windows Update, follow these steps to manually trust the installer: Extract the Certificate: Right-click the Kepware .exe installer. Select Properties > Digital Signatures.

Select the signature in the list and click Details > View Certificate. Install to Root Store:

The error message "The installer was unable to find required root certificates" typically occurs when the KEPServerEX installer cannot verify its digital signature because the target machine's operating system lacks updated certificate authorities (CAs). This is common on offline systems or older versions like Windows 7 and Server 2016. Primary Resolutions

To resolve this, you must ensure the host machine trusts the certificates used by PTC Kepware.

Apply Windows Updates: The most direct fix is to connect the machine to the internet and run Windows Update to automatically refresh the local Trusted Root Certification Authorities store.

Manual Certificate Installation: If the machine is offline, you must manually install the required root certificates (such as those from GlobalSign or VeriSign).

Obtain the missing root certificates (typically .cer or .crt files) from a machine with internet access or via PTC Support.

Right-click the certificate file and select Install Certificate. Choose Local Machine as the store location.

Manually select Trusted Root Certification Authorities as the certificate store rather than letting Windows choose automatically.

Use Batch/Registry Files: For bulk deployments or specific environments, PTC and security vendors like Trellix provide .bat or .reg files that automate the import of necessary 2024/2025 root certificates. Troubleshooting Specific Scenarios

Windows 7 / Server 2008 R2: These versions often lack the SHA-256 support needed for modern installers. Ensure the SHA-2 support update is installed.

Verification Check: You can verify if the installer is trusted by running certutil -hashfile SHA256 in a command prompt and checking for errors related to the digital signature.

Support Ticket: If manual installation fails, PTC Kepware Support recommends opening a ticket through My Kepware to receive the specific certificate chain files required for your server version.

Are you working on an offline machine or an older operating system version?

Solution 1: Update Windows Root Certificates (The Online Method)

If your machine has temporary internet access, this is the simplest fix.

  1. Open Windows Update:

    • Navigate to Settings > Update & Security > Windows Update.
    • Click "Check for updates."
    • Install any pending updates, especially "Security and Critical" updates and "Update for Root Certificates" (often listed as KB931125 or KB2813430).

  2. Manual Root Certificate Update (For Windows 7/8/Server 2008):

    • Download the "Root Certificates Update" from Microsoft Catalog.
    • Run the installer (rootsupd.exe).
    • Reboot the machine.

  3. Retry Kepware Installation. The error should now be resolved.

1. Maintain a Private Root Certificate Store

For air-gapped industrial networks, create a internal Certificate Trust List (CTL). Regularly export the latest root certificates from a trusted online machine and deploy them via Group Policy.

Overview

When installing Kepware products (such as KEPServerEX, ThingWorx Kepware Server, or various drivers), users may occasionally encounter a blocking error message stating: "The installer was unable to find required root certificates."

This error typically halts the installation process immediately. It indicates that the Windows operating system on the target machine lacks the specific security certificates required to validate the digital signature of the Kepware installation files.

Method 3: The Silent Install Bypass (For Advanced Users)

If you cannot update certificates, you can attempt to bypass the certificate check using command-line installation. Note: This does not fix security; it merely suppresses the check.

  1. Open Command Prompt as Administrator.
  2. Navigate to the folder containing the Kepware installer (e.g., KEPServerEX_6.15.exe).
  3. Run the following command: 
    KEPServerEX_6.15.exe /quiet /norestart
    Or use the generic installer switch: 
    setup.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART

Warning: This method may fail if the installer has hard-coded certificate validation. It works primarily for older versions.