Kepware The Installer Was Unable To Find: Required Root Certificates Exclusive
"The installer was unable to find required root certificates"
typically occurs when a Windows system lacks the updated root certificates needed to verify the Kepware installer's digital signature
. This is especially common on air-gapped systems or older versions of Windows Server (e.g., 2016) that haven't received recent Windows Updates Immediate Solutions
If the installer fails, follow these steps to resolve the trust issue: Apply Windows Updates
: The most direct fix is to run Windows Update on the machine to refresh the certificate store. Manual Certificate Installation
: For systems without internet access, you must manually install the required root certificates into the Trusted Root Certification Authorities
Obtain the missing root certificates (often from a machine that has them or via PTC support). Right-click the certificate file and select Install Certificate Local Machine as the store location. Manually select the Trusted Root Certification Authorities Check Firewall/Internet Connectivity
: Sometimes the installer tries to verify the certificate online; ensure a firewall isn't blocking access to certificate revocation lists (CRLs). Google Groups Advanced Troubleshooting
If standard installation fails, users have reported success with these alternative methods: Registry Imports
files provided by support to force-update the certificate registry keys directly. OPC UA Configuration Manager
: If the error occurs post-installation during connection, use the OPC UA Configuration Manager
to manually swap and trust certificates between the client and server. Support Ticket
: If manual installation of root certificates does not work, it is recommended to open a support ticket at My Kepware for a remote session. PTC Community direct download links
for the specific root certificates commonly required for these legacy Windows installations? Kepserverex Root Certificate - Google Groups
Find the log:
C:\Users\%USERNAME%\AppData\Local\Temp\Kepware_Install.log
Look for lines containing CERTIFICATE, ROOT CA, or TRUST.
The Technical Deep Dive
When you double-click the Kepware installer (e.g., KEPServerEX.6.14.200.0.exe), the following sequence occurs:
- Signature check: Windows checks the digital signature of the installer using the CryptoAPI (CAPI) or Cryptography API: Next Generation (CNG).
- Chain building: The installer queries the local machine’s
Rootcertificate store to build a trust chain back to a root CA (e.g., DigiCert, GlobalSign, or Microsoft’s own root). - Exclusive lock failure: The installer attempts to acquire exclusive access to a cryptographic handle to verify the chain. If a required intermediate or root certificate is missing, the system returns
CRYPT_E_NOT_FOUND. Kepware’s installer translates this into the user-friendly (or user-unfriendly) message regarding "required root certificates exclusive."
Critically, the installer does not download missing certificates automatically if the machine is offline or if Windows Update is disabled. This is a security feature—preventing automatic installation of untrusted certificates—but it becomes a roadblock for legitimate software.
Solution 3: Bypass Certificate Check via Command Line (Advanced)
PTC (the parent company of Kepware) allows certain deployment flags for silent installations. You can attempt to bypass the root certificate requirement using the DISABLE_CERT_WRAPPER=1 property.
Method: Open Command Prompt as Administrator and navigate to the folder containing the installer. Run:
KEPServerEX.6.xx.xxx.x.exe DISABLE_CERT_WRAPPER=1 /quiet /norestart
Warning: This bypasses signature validation. Only use this in a trusted, isolated network where you are certain the installer binary has not been tampered with. This is not recommended for production SCADA environments but can resolve the "exclusive" lock error in lab/test settings.
Troubleshooting Kepware Installation: "Unable to Find Required Root Certificates"
3. Corrupted or Missing Certificate Store
In some cases, the Windows certificate store itself may be corrupted, or specific Group Policy Objects (GPOs) may be stripping out third-party root certificates, leaving the machine unable to trust commercial software vendors.
Summary
The error "The installer was unable to find required root certificates exclusive" is a security check failure. It is resolved by ensuring the Windows Operating System trusts the digital signature of the Kepware installer. In most cases, running Windows Update resolves the issue immediately. For air-gapped systems, manually importing the root certificate from a trusted USB source is the standard industrial solution.
The error message "The installer was unable to find required root certificates" typically occurs during the installation or upgrade of PTC Kepware products when the Windows operating system lacks the necessary updated root certificates to verify the installer's digital signature. This is common on systems that are offline or have disabled Windows Updates, as they cannot automatically download new Certificate Revocation Lists (CRLs) or Trusted Root CAs. Primary Solutions
To resolve this issue, you must ensure the system can trust the certificates used by the Kepware installer.
Run Windows UpdateThe most straightforward fix is to connect the machine to the internet and run Windows Update. This allows the OS to automatically update its Trusted Root Certification Authorities store. "The installer was unable to find required root
Manual Certificate InstallationIf the server must remain offline or cannot be updated, you must manually install the required root certificates (often from issuers like GlobalSign or VeriSign):
Obtain the necessary root certificate files (.cer or .crt) from a machine with internet access or directly from the PTC Support Portal.
Right-click the certificate file and select Install Certificate.
In the Certificate Import Wizard, select Local Machine as the store location.
Manually choose the Trusted Root Certification Authorities store for the placement.
Check Bootstrap LogsIf the error persists, review the installation logs to identify which specific certificate is missing. You can find these at: C:\Program Files (x86)\Kepware\KEPServerEX\bootstrap.log
C:\Program Files (x86)\PTC\ThingWorxIndustrialConnectivity\bootstrap.logLook for entries like CheckRootCert, GlobalSign Failed to pinpoint the missing authority. Common Scenarios and Troubleshooting
Legacy Systems: Users on older operating systems like Windows 7 or Windows XP SP3 frequently encounter this because these versions no longer receive automatic certificate updates.
Self-Signed Certificates: If you are trying to connect via OPC UA after installation and see certificate errors, you may need to use the OPC UA Configuration Manager to manually trust the server's self-signed certificate.
Invalid Digital Signature: If you see errors about "invalid digital signatures" alongside the root certificate warning, it often indicates the installer cannot verify its own integrity because the chain of trust is broken at the root level.
If manual installation of GlobalSign or Microsoft root certificates does not work, it is recommended to open a support ticket with the Kepware team for specific offline certificate packages.
This error typically occurs when the Kepware installer cannot verify its own digital signature because the operating system is missing the latest Trusted Root Certificates. This is common on offline machines or systems where Windows Update is disabled. 🛠️ Immediate Fixes
Update Windows: Run Windows Update to automatically pull the latest certificate store from Microsoft.
Manual Install: If the machine is offline, you must manually import the required certificates (often GlobalSign or DigiCert roots).
Check Date/Time: Ensure the system clock and time zone are correct; incorrect dates cause certificate validation to fail. 📥 Step-by-Step Manual Import
If you cannot use Windows Update, follow these steps to manually trust the installer: Extract the Certificate: Right-click the Kepware .exe installer. Select Properties > Digital Signatures.
Select the signature in the list and click Details > View Certificate. Install to Root Store:
Troubleshooting the Kepware Error: "The installer was unable to find required root certificates"
If you are trying to install or update Kepware’s KEPServerEX and you’re hit with the error "The installer was unable to find required root certificates," you aren't alone. This is a common roadblock, especially on industrial PCs (IPCs) or servers that are kept offline for security reasons. Why Is This Happening?
Modern software installers use digital signatures to prove they haven't been tampered with. Kepware uses certificates issued by authorities like DigiCert or Sectigo.
When you run the installer, Windows tries to verify these signatures. If your operating system is missing the specific "Root Certificates" needed to validate those signatures—and the computer cannot connect to the internet to download them automatically—the installer will abort to protect the system. Solution 1: The "Quick Fix" (Internet Access)
If the machine can be temporarily connected to the internet: Connect the machine to the web. Run the Kepware installer again.
Windows will automatically reach out to the Microsoft Root Certificate Program in the background, download what it needs, and the error should vanish. Solution 2: Manual Certificate Update (Offline Method)
Since many Kepware instances run on isolated OT (Operational Technology) networks, you likely need to move the certificates manually using a USB drive. Step 1: Identify the Missing Certificate Look for lines containing CERTIFICATE , ROOT CA
Usually, the installer is looking for the DigiCert Trusted Root G4 or a similar modern root. You can check which one is missing by right-clicking the Kepware .exe file, selecting Properties > Digital Signatures > Details > View Certificate. Step 2: Download the Roots from a Connected PC On a computer with internet access: Go to the DigiCert Trusted Root Authority page.
Download the DigiCert Trusted Root G4 (or the specific one identified in Step 1) in .crt or .der format. Step 3: Install on the Offline Machine Move the file to the offline server. Double-click the certificate and click Install Certificate. Choose Local Machine.
Crucial Step: Do not let Windows "Automatically select the certificate store." Instead, choose Place all certificates in the following store and browse to Trusted Root Certification Authorities. Finish the import and restart the Kepware installer. Solution 3: Update via Windows Update (WSUS)
If your company uses a WSUS (Windows Server Update Services) server to manage updates:
Ensure that Root Certificate Updates are approved for your group of industrial computers.
Many admins disable these to "harden" the system, but it frequently breaks installers for signed drivers and industrial software. Summary for Success
The "exclusive" nature of this error means the installer is strictly enforcing security. By manually placing the DigiCert or Sectigo roots into the Trusted Root Certification Authorities store, you satisfy the installer’s security check without needing to compromise your air-gapped network.
Are you running this on an older version of Windows like Server 2012 or Windows 7, which might require a specific KB update for code signing?
Resolving the Kepware Installer "Missing Root Certificates" Error The error message
"The Installer was unable to find required root certificates" typically occurs during the installation or upgrade of KEPServerEX (versions 5.20.396.0 to 7.0) or ThingWorx Kepware Server
. This issue arises when the host operating system lacks the modern root certificates required to verify the digital signature of the installer. Primary Solutions Apply Windows Updates
: The most direct fix is to run Windows Update on the target machine. This allows the OS to automatically download and install the latest Trusted Root Certification Authorities Manual Certificate Installation
: If the machine is offline or cannot be updated, you must manually install the required certificates into the Local Machine Step-by-Step Manual Installation
If Windows Update is not an option, follow these steps to manually update your certificate store: Identify Missing Certificates : Common required root certificates include those from GlobalSign . Specific critical roots often include: GlobalSign Root CA - R3 DigiCert Trusted Root G4 Microsoft Code Verification Root Import via MMC , and press Enter. File > Add/Remove Snap-in Certificates Computer account (Local Computer). Navigate to Trusted Root Certification Authorities > Certificates Right-click, select All Tasks > Import , and browse to your downloaded certificate file. Ensure Correct Storage
: For certificates pushed via Group Policy, the installer may still fail to find them unless they are manually re-installed into the Physical Store (specifically the "Registry" location). Common Troubleshooting Blocks Firewall Interference
: Ensure no firewalls or security software (like Kaspersky) are blocking the installer from verifying signatures online. Bootstrap Logs
: If the error persists, check the installation logs (typically found at C:\Program Files (x86)\Kepware\KEPServerEX\bootstrap.log
) to identify exactly which certificate check is failing (e.g., error code
For further assistance, users are encouraged to open a support ticket via the My Kepware portal download links
for the missing GlobalSign or Microsoft root certificates to begin the manual import? Kepserverex Root Certificate - Google Groups
The error message "The installer was unable to find required root certificates" typically occurs when the KEPServerEX installer cannot verify its digital signature because the target machine's operating system lacks updated certificate authorities (CAs). This is common on offline systems or older versions like Windows 7 and Server 2016. Primary Resolutions
To resolve this, you must ensure the host machine trusts the certificates used by PTC Kepware.
Apply Windows Updates: The most direct fix is to connect the machine to the internet and run Windows Update to automatically refresh the local Trusted Root Certification Authorities store.
Manual Certificate Installation: If the machine is offline, you must manually install the required root certificates (such as those from GlobalSign or VeriSign). With this solution
Obtain the missing root certificates (typically .cer or .crt files) from a machine with internet access or via PTC Support.
Right-click the certificate file and select Install Certificate. Choose Local Machine as the store location.
Manually select Trusted Root Certification Authorities as the certificate store rather than letting Windows choose automatically.
Use Batch/Registry Files: For bulk deployments or specific environments, PTC and security vendors like Trellix provide .bat or .reg files that automate the import of necessary 2024/2025 root certificates. Troubleshooting Specific Scenarios
Windows 7 / Server 2008 R2: These versions often lack the SHA-256 support needed for modern installers. Ensure the SHA-2 support update is installed.
Verification Check: You can verify if the installer is trusted by running certutil -hashfile in a command prompt and checking for errors related to the digital signature.
Support Ticket: If manual installation fails, PTC Kepware Support recommends opening a ticket through My Kepware to receive the specific certificate chain files required for your server version.
Are you working on an offline machine or an older operating system version?
The "Installer was unable to find required root certificates" error in Kepware occurs primarily on offline systems due to missing root certificate authorities, which prevents digital signature verification. Resolving this issue involves manually importing the necessary DigiCert or GlobalSign root certificates into the Windows Trusted Root store using the For more details, visit PTC Support
The Frustrating Encounter with Kepware
It was a typical Monday morning for John, a controls engineer at a manufacturing plant. He had to install Kepware, a software solution for industrial automation, on his computer to connect to the plant's machinery. John had done this before, but this time, something was off.
As he ran the installer, a error message popped up: "The installer was unable to find required root certificates." John was puzzled. He had checked the software requirements and ensured that his computer met all the necessary specifications. He tried running the installer again, but the error persisted.
John scratched his head, wondering what could be causing this issue. He checked the internet for solutions, but none of the forums or support pages seemed to have an answer. He even tried contacting Kepware's support team, but they were slow to respond.
As the day went on, John's frustration grew. He had to get this software installed to do his job, but it seemed like the installer was blocking him at every turn. He tried to troubleshoot the issue, checking the Windows registry, certificate stores, and even the system time (which he had heard could cause issues with certificate validation).
Still, nothing seemed to work. The installer simply couldn't find the required root certificates. John was about to give up when he stumbled upon a peculiar solution.
The Elusive Solution
While digging through the Kepware support forums, John found a post from a user who had encountered a similar issue. The user had mentioned that the problem was caused by a missing root certificate, specifically the "DigiCert Global Root CA" certificate.
John remembered that his company had recently changed its certificate authority, and maybe this certificate was no longer trusted. He decided to try importing the DigiCert Global Root CA certificate into his system's trusted root certificate store.
To his surprise, this worked! The installer suddenly found the required root certificates, and Kepware installed successfully. John breathed a sigh of relief, feeling a mix of relief and accomplishment.
The Exclusive Resolution
John realized that the issue was not with the Kepware software itself but with the certificate configuration on his system. He documented the solution, hoping that it would help others who might face the same problem.
The exclusive resolution was simple:
- Download the DigiCert Global Root CA certificate from the DigiCert website.
- Open the Microsoft Management Console (MMC) and navigate to the Certificates (Local Computer) snap-in.
- Right-click on the "Trusted Root Certification Authorities" store and select "All Tasks" > "Import..."
- Follow the Certificate Import Wizard to import the DigiCert Global Root CA certificate.
With this solution, John's Kepware installation was up and running, and he could finally connect to the plant's machinery. He made sure to share his findings with his colleagues, ensuring that they wouldn't face the same frustrating issue in the future.
From then on, John was more cautious when installing software, always on the lookout for potential certificate issues that might arise. The experience had taught him the importance of root certificates and the need for thorough troubleshooting.
