Kepware The Installer Was Unable To Find Required Root Certificates Exclusive Patched

The error message "The installer was unable to find required root certificates" typically occurs when the KEPServerEX installer cannot verify its digital signature because the target machine's operating system lacks updated certificate authorities (CAs). This is common on offline systems or older versions like Windows 7 and Server 2016. Primary Resolutions

To resolve this, you must ensure the host machine trusts the certificates used by PTC Kepware.

Apply Windows Updates: The most direct fix is to connect the machine to the internet and run Windows Update to automatically refresh the local Trusted Root Certification Authorities store.

Manual Certificate Installation: If the machine is offline, you must manually install the required root certificates (such as those from GlobalSign or VeriSign).

Obtain the missing root certificates (typically .cer or .crt files) from a machine with internet access or via PTC Support.

Right-click the certificate file and select Install Certificate. Choose Local Machine as the store location.

Manually select Trusted Root Certification Authorities as the certificate store rather than letting Windows choose automatically.

Use Batch/Registry Files: For bulk deployments or specific environments, PTC and security vendors like Trellix provide .bat or .reg files that automate the import of necessary 2024/2025 root certificates. Troubleshooting Specific Scenarios

Windows 7 / Server 2008 R2: These versions often lack the SHA-256 support needed for modern installers. Ensure the SHA-2 support update is installed.

Verification Check: You can verify if the installer is trusted by running certutil -hashfile SHA256 in a command prompt and checking for errors related to the digital signature.

Support Ticket: If manual installation fails, PTC Kepware Support recommends opening a ticket through My Kepware to receive the specific certificate chain files required for your server version.

Are you working on an offline machine or an older operating system version?

Troubleshooting the Kepware Error: "The installer was unable to find required root certificates"

If you are trying to install or update Kepware’s KEPServerEX and you’re hit with the error "The installer was unable to find required root certificates," you aren't alone. This is a common roadblock, especially on industrial PCs (IPCs) or servers that are kept offline for security reasons. Why Is This Happening? The error message " The installer was unable

Modern software installers use digital signatures to prove they haven't been tampered with. Kepware uses certificates issued by authorities like DigiCert or Sectigo.

When you run the installer, Windows tries to verify these signatures. If your operating system is missing the specific "Root Certificates" needed to validate those signatures—and the computer cannot connect to the internet to download them automatically—the installer will abort to protect the system. Solution 1: The "Quick Fix" (Internet Access)

If the machine can be temporarily connected to the internet: Connect the machine to the web. Run the Kepware installer again.

Windows will automatically reach out to the Microsoft Root Certificate Program in the background, download what it needs, and the error should vanish. Solution 2: Manual Certificate Update (Offline Method)

Since many Kepware instances run on isolated OT (Operational Technology) networks, you likely need to move the certificates manually using a USB drive. Step 1: Identify the Missing Certificate

Usually, the installer is looking for the DigiCert Trusted Root G4 or a similar modern root. You can check which one is missing by right-clicking the Kepware .exe file, selecting Properties > Digital Signatures > Details > View Certificate. Step 2: Download the Roots from a Connected PC On a computer with internet access: Go to the DigiCert Trusted Root Authority page.

Download the DigiCert Trusted Root G4 (or the specific one identified in Step 1) in .crt or .der format. Step 3: Install on the Offline Machine Move the file to the offline server. Double-click the certificate and click Install Certificate. Choose Local Machine.

Crucial Step: Do not let Windows "Automatically select the certificate store." Instead, choose Place all certificates in the following store and browse to Trusted Root Certification Authorities. Finish the import and restart the Kepware installer. Solution 3: Update via Windows Update (WSUS)

If your company uses a WSUS (Windows Server Update Services) server to manage updates:

Ensure that Root Certificate Updates are approved for your group of industrial computers.

Many admins disable these to "harden" the system, but it frequently breaks installers for signed drivers and industrial software. Summary for Success

The "exclusive" nature of this error means the installer is strictly enforcing security. By manually placing the DigiCert or Sectigo roots into the Trusted Root Certification Authorities store, you satisfy the installer’s security check without needing to compromise your air-gapped network.

Are you running this on an older version of Windows like Server 2012 or Windows 7, which might require a specific KB update for code signing? Method 5: Full Reset of Windows Certificate Store

This error typically occurs when the Kepware installer cannot verify the digital signatures of its own installation files because the host operating system is missing essential root certificates. This is common on systems that are offline or have not received recent Windows Updates. Quick Fixes

Apply Windows Updates: The most direct solution is to run Windows Update on the machine. This automatically refreshes the Trusted Root Certification Authorities store.

Enable Automatic Root Updates: Ensure your system isn't blocking certificate updates:

Open regedit and navigate to: HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot. Ensure DisableRootAutoUpdate is set to 0.

Manual Certificate Installation: If the machine must remain offline, you can manually import the required certificates from a machine that has them:

Identify the missing certificate (often a VeriSign or DigiCert root used for code signing).

Right-click the certificate file and select Install Certificate.

Choose Local Machine and place it specifically in the Trusted Root Certification Authorities store.

Use Command Line (Admin): You can also use the certutil tool to add certificates: Run Command Prompt as Administrator. Execute: certutil -addstore "Root" . Troubleshooting

If the error persists after these steps, check the installation logs located at C:\Program Files (x86)\Kepware\KEPServerEX\bootstrap.log for specific certificate thumbprints that are failing. You may also find detailed guidance on the PTC Support Portal regarding this specific installer failure. The Installer was unable to find required root certificates

---

Method 5: Full Reset of Windows Certificate Store

If the certificate store is corrupted, you must reset it.

1. Open Command Prompt as Administrator.
2. Run the following commands:

   certutil -repairstore my
   certutil -repairstore root
   certutil -repairstore ca
   

3. Restart the PC.
4. Re-run the Kepware installer.

---

Why is Windows missing the root certificate?

There are several primary causes:

| Cause | Explanation | |-------|-------------| | Outdated Windows Image | A fresh installation of Windows (especially older builds like 2012 R2, 2016, or LTSC editions) lacks recent root certificate updates. | | Internet Restriction (Air-Gapped) | Kepware is often installed on industrial PCs or SCADA servers that are physically isolated from the internet. Automatic root certificate updates fail. | | Group Policy (GPO) | Corporate security policies have disabled automatic root certificate updates or removed untrusted certificates. | | Corrupt Certificate Store | The Windows certificate store is damaged. | | Time/Date Mismatch | The system clock or timezone is drastically incorrect. Certificate validity depends on accurate time. | Open Command Prompt as Administrator

---

Best Practices for Industrial Systems

To prevent this issue in the future, system administrators managing SCADA or HMI servers should:

• Maintain a Patch Schedule: Even air-gapped systems should receive periodic Windows updates via WSUS servers or portable media to ensure security certificates remain valid.
• Image Management: When deploying new machines, ensure the "Golden Image" includes the latest Windows updates and certificate stores to avoid legacy certificate issues.

3. Corrupted or Missing Certificate Store

In some cases, the Windows certificate store itself may be corrupted, or specific Group Policy Objects (GPOs) may be stripping out third-party root certificates, leaving the machine unable to trust commercial software vendors.

---

Steps to Resolve

1. Connect to the Internet:

   • Ensure your computer is connected to the internet. Sometimes, simply being online allows the installer to download the required certificates.

2. Check and Update Windows:

   • Make sure Windows is up to date. Go to Settings > Update & Security > Windows Update > Check for updates.

3. Install Root Certificates Manually:

   • If connecting to the internet doesn't solve the issue, you might need to manually install the root certificates.
   • You can download the necessary root certificates from a trusted source. Microsoft and other software providers often include these in their updates or provide them through their websites.

4. Temporarily Disable Certificate Verification (Not Recommended):

   • For testing or internal development environments, you might consider temporarily disabling the certificate verification (not recommended for production environments due to security risks).

5. Obtain Certificates from Kepware/PackagedApps:

   • Visit the Kepware/PackagedApps website and look for any specific instructions or certificates provided for their installers.

6. Use a Different Installer or Version:

   • If you're using a very old version of Kepware, consider updating to a newer version. Newer versions might handle certificate validation differently.

Step 5: Alternative – Bypass Certificate Check (Not Recommended for Production)

If you're in a test/air-gapped environment and must proceed:

Method: Use an older offline installer
Some legacy Kepware versions (pre-6.x) do not enforce online root certificate validation.

Method: Modify hosts file
Block the installer from reaching certificate validation endpoints:

127.0.0.1 crl.digicert.com
127.0.0.1 ocsp.digicert.com

Note: This is insecure and unsupported by Kepware.