Kepware The Installer Was Unable To Find Required Root Certificates Exclusive 〈2024〉

When installing Kepware products (such as KEPServerEX, ThingWorx Kepware Server, or various drivers), users may occasionally encounter a blocking error message stating: "The installer was unable to find required root certificates."

This error typically halts the installation process immediately. It indicates that the Windows operating system on the target machine lacks the specific security certificates required to validate the digital signature of the Kepware installation files.

The most common missing certificates for Kepware are:

For air-gapped industrial networks, create a internal Certificate Trust List (CTL). Regularly export the latest root certificates from a trusted online machine and deploy them via Group Policy.

If your machine has temporary internet access, this is the simplest fix.

  • Manual Root Certificate Update (For Windows 7/8/Server 2008):

  • Retry Kepware Installation. The error should now be resolved.

    • We will approach this problem from the easiest (least intrusive) to the most comprehensive.

    Summary

  • If Kepware provided a specific certificate name in logs, search for that subject name in both Local Computer and Current User stores.
  • If blocked, allow outbound HTTP(S) to relevant CRL/OCSP/CA endpoints or configure proxy for the installer.

    • A. Restore/update Windows Trusted Root Certificate store

    B. Fix permissions or Group Policy restrictions

    C. Enable Windows Crypto services

    D. Run installer with elevated privileges and logging

    E. Workaround for offline/private CA environments

    F. Reinstall or repair Windows Root Certificate Program

    If you want, I can draft a PowerShell script to (1) check for presence of common root CAs, (2) test connectivity to common CRL/OCSP endpoints, and (3) import a provided root certificate into the Local Machine Trusted Root store.

    This error typically occurs when your system lacks the updated root certificates required to verify the digital signature of the KEPServerEX installer. It is most common on machines without active internet access or those with disabled Windows Updates. Retry Kepware Installation

    Fixed: Kepware "Installer was unable to find required root certificates"

    If you are trying to install or upgrade KEPServerEX and hit the wall with a "Missing Root Certificates" error, you aren't alone. This safeguard ensures that the installer you are running is authentic and hasn't been tampered with. Why this happens

    Modern Kepware installers (v5.20 to v7.x) are digitally signed. During installation, Windows tries to verify this signature against a list of trusted Certificate Authorities (CAs), such as GlobalSign or VeriSign. If your OS cannot find these certificates—often because it hasn't received a Windows Update in a long time—the installer fails to protect you from potentially untrusted software. Step-by-Step Solutions Method 1: The Quick Fix (Run Windows Update) The simplest solution is to let Windows update itself. Go to Settings > Update & Security > Windows Update. Click Check for updates.

    Once the system is fully updated, restart your computer and try the Kepware installation again. Method 2: Manual Certificate Import (For Offline Machines)

    If your server is in an offline environment (OT network), you must manually import the required certificates. You will need to obtain the latest .cer files from a machine that does have internet access.

    Open Certificate Manager: Press Win + R, type certmgr.msc, and hit Enter.

    Locate the Store: Right-click Trusted Root Certification Authorities > All Tasks > Import.

    Import the Root: Follow the wizard to import the missing certificates (typically GlobalSign or Microsoft Root CAs). If you want

    Repeat for "Third-Party Root CAs": Ensure the certificates are also present in the Third-Party Root Certification Authorities store. Method 3: Verify the Installer Digital Signature

    Before you spend time on certificates, make sure the installer file itself isn't corrupt: Right-click the .exe installer and select Properties. Go to the Digital Signatures tab. Select the signature and click Details.

    If it says "This digital signature is OK," your system just needs the root certificates mentioned above. If it says it's invalid, download a fresh copy from the PTC Kepware website. Pro-Tip for Industrial Environments

    In many plants, Windows Update is permanently disabled to prevent unexpected reboots. To avoid this error in the future, include Root Certificate Updates as part of your standard server "hardening" or commissioning checklist before moving equipment to the production floor.

    Are you seeing specific error codes like 0x65B in your bootstrap logs? Identifying the exact missing certificate can help speed up the manual import process.

    PTC (the parent company of Kepware) allows certain deployment flags for silent installations. You can attempt to bypass the root certificate requirement using the DISABLE_CERT_WRAPPER=1 property.

    Method: Open Command Prompt as Administrator and navigate to the folder containing the installer. Run:

    KEPServerEX.6.xx.xxx.x.exe DISABLE_CERT_WRAPPER=1 /quiet /norestart

    Warning: This bypasses signature validation. Only use this in a trusted, isolated network where you are certain the installer binary has not been tampered with. This is not recommended for production SCADA environments but can resolve the "exclusive" lock error in lab/test settings. E. Workaround for offline/private CA environments