Aller au contenu

Kepware The Installer Was Unable To Find Required Root Certificates Exclusive

If Kepware tells you which certificate is missing (check the installer log), import it manually.

An incorrect system date can break certificate validation.

In the interconnected world of industrial automation, Kepware stands as a ubiquitous bridge, translating disparate device protocols into a unified language for supervisory control and data acquisition (SCADA) systems. However, even the most robust software is susceptible to the invisible infrastructure of modern cybersecurity: digital certificates. A technician encountering the error message—“The installer was unable to find required root certificates exclusive”—has stumbled upon a silent, fundamental breakdown in trust. This error is not a mere glitch but a symptom of a missing link in the chain of cryptographic authentication, one that prevents Kepware from verifying its own integrity or communicating over secure channels. Understanding this error requires delving into the purpose of root certificates, the heightened security of contemporary Windows environments, and the specific conditions under which Kepware’s installer fails to locate them.

At its core, a root certificate is the ultimate anchor of trust in the public key infrastructure (PKI). Issued by a trusted Certificate Authority (CA) such as DigiCert, GlobalSign, or Let’s Encrypt, the root certificate is self-signed and stored in a protected “Trusted Root Certification Authorities” store within the operating system. When Kepware—or any modern application—attempts to establish a secure HTTPS connection for licensing, updates, or IoT Gateway communication, it checks the server’s certificate against this local root store. If the chain of trust leads back to a missing or untrusted root, the connection fails. The word “exclusive” in the error message is particularly telling: it implies that the installer is looking for a specific, non-generic root certificate, likely tied to Kepware’s code-signing or a proprietary communication component (such as the ThingWorx or IoT Gateway add-on). Without that precise root, the installer refuses to proceed, prioritizing security over functionality.

Why would such a root certificate be absent on a functional Windows machine? The answer lies in the evolution of operating systems and the fragmentation of industrial PC environments. Many factory-floor PCs run on legacy versions of Windows (7, Embedded Standard, or early Windows 10 builds) that have outdated or manually curated root certificate stores. Unlike consumer PCs that receive automatic updates via Windows Update, industrial PCs are often air-gapped or locked down to maintain stability, meaning they never receive the automatic root certificate updates released monthly by Microsoft. Consequently, when a newer Kepware installer—built and signed using a CA that came into prominence after the OS’s last update—runs on such a machine, the OS’s root store has no record of that CA. The installer queries the system, receives a “not found” response, and halts with the cryptic root certificate error.

Resolving the “exclusive root certificate” failure is a lesson in bridging security silos. The immediate fix involves manually updating the Windows root certificate store. On an online machine, simply running Windows Update or installing the “Update for Root Certificates” (KB931125) often suffices. For air-gapped systems, an administrator must export the required root certificate from an internet-connected machine (by examining the digital signature of the Kepware executable or its installer) and then import it into the offline machine’s Trusted Root store using the Microsoft Management Console (MMC) Certificates snap-in. A more subtle solution involves temporarily disabling certain antivirus or application control software that intercepts certificate validation. Some hardened security suites inject their own roots or block access to the default Windows store, causing the Kepware installer to see an empty or altered store. Ultimately, the error forces a choice: relax restrictive security policies just enough to allow the legitimate root, or accept that modern industrial software requires periodic trust maintenance.

In conclusion, the Kepware error “unable to find required root certificates exclusive” is far more than a nuisance message—it is a reflection of the tension between industrial longevity and modern cryptographic trust models. It reminds us that software installation is not merely a file-copying operation but a ritual of mutual authentication between publisher, operating system, and user. As Industry 4.0 pushes even legacy plants toward secure, encrypted communication, errors like this will become increasingly common. The solution lies not in bypassing security but in understanding it: ensuring that the invisible roots of digital trust are as well-maintained as the visible cables and controllers on the factory floor. Only then can Kepware—and the automation it enables—operate with both reliability and integrity.

The error message "The installer was unable to find required root certificates" typically occurs when the KEPServerEX installer cannot verify its digital signature because the target machine's operating system lacks updated certificate authorities (CAs). This is common on offline systems or older versions like Windows 7 and Server 2016. Primary Resolutions

To resolve this, you must ensure the host machine trusts the certificates used by PTC Kepware.

Apply Windows Updates: The most direct fix is to connect the machine to the internet and run Windows Update to automatically refresh the local Trusted Root Certification Authorities store.

Manual Certificate Installation: If the machine is offline, you must manually install the required root certificates (such as those from GlobalSign or VeriSign).

Obtain the missing root certificates (typically .cer or .crt files) from a machine with internet access or via PTC Support.

Right-click the certificate file and select Install Certificate. Choose Local Machine as the store location.

Manually select Trusted Root Certification Authorities as the certificate store rather than letting Windows choose automatically. If Kepware tells you which certificate is missing

Use Batch/Registry Files: For bulk deployments or specific environments, PTC and security vendors like Trellix provide .bat or .reg files that automate the import of necessary 2024/2025 root certificates. Troubleshooting Specific Scenarios

Windows 7 / Server 2008 R2: These versions often lack the SHA-256 support needed for modern installers. Ensure the SHA-2 support update is installed.

Verification Check: You can verify if the installer is trusted by running certutil -hashfile SHA256 in a command prompt and checking for errors related to the digital signature.

Support Ticket: If manual installation fails, PTC Kepware Support recommends opening a ticket through My Kepware to receive the specific certificate chain files required for your server version.

Are you working on an offline machine or an older operating system version?

This error occurs when the Kepware installer cannot verify the digital signature of its setup files because the required Root Certificate Authorities (CAs) are missing or outdated on your Windows system. This is common on offline machines or older operating systems like Windows 7 that haven't received recent security updates. Immediate Solutions

Run Windows Update: The simplest fix is to connect the machine to the internet and run Windows Update. This automatically refreshes the Trusted Root Certification Authorities store.

Manual Certificate Installation: If the machine must remain offline, you can manually install the missing certificates (typically from GlobalSign, VeriSign, or Microsoft).

Obtain the required .cer or .crt files from a machine with internet access or the PTC Support Portal.

Right-click the certificate file and select Install Certificate. Choose Local Machine as the store location.

Manually select the Trusted Root Certification Authorities store rather than letting Windows choose automatically. Complete the wizard and restart the Kepware installer. Alternative Command Line Method

You can also use the Windows certutil tool to force the installation of a certificate via the Command Prompt (Run as Administrator): certutil -addstore "Root" .cer Why This Happens

Newer versions of KEPServerEX (v6.7 and later) use advanced code-signing certificates to ensure the software hasn't been tampered with. If your system's "trusted list" doesn't recognize the authority that signed the Kepware installer, Windows blocks the process to protect the system. After applying the solution: If your Kepware server

For further assistance, you can refer to the official PTC Kepware Support Article CS292168 or open a ticket at My Kepware if manual installation fails.

After applying the solution:

If your Kepware server has internet access (or temporary access), this is the simplest fix.

  • After updating, restart the PC.
  • Run the Kepware installer again.

    • Why this works: Windows Update periodically downloads the latest list of trusted root CAs from Microsoft.

    This error is most common in the following scenarios:

    The error "The installer was unable to find required root certificates" is not a bug in Kepware but a reflection of Windows' evolving security model. As cyber-attacks on supply chains increase, code signing becomes more rigorous, and outdated Windows builds are left behind.

    By following the methods in this guide—especially the manual import of root certificates for air-gapped networks—you can bypass this roadblock in minutes.

    Final Checklist When You See This Error:

    Solve the certificate problem, and you’ll be back to connecting your industrial devices in no time.

    Need further assistance? Contact PTC Kepware support with the installer log file (located in %temp%/PTC_Kepware_Install.log).

    The error message "The Installer was unable to find required root certificates" typically occurs during the installation or upgrade of Kepware products (such as KEPServerEX) when the Windows operating system lacks the necessary digital signatures to verify the installer's authenticity. This is common on systems without internet connectivity, those where Windows Updates are disabled, or older versions like Windows 7. Core Causes

    Offline Systems: Windows cannot perform a "Root AutoUpdate" to fetch the latest certificates from Microsoft.

    Restricted Group Policies: Policies may explicitly disable automatic root certificate updates via registry settings like DisableRootAutoUpdate. After updating, restart the PC

    Outdated OS: Systems like Windows 7 or unpatched versions of Windows Server 2016 often lack the modern GlobalSign, VeriSign, or Microsoft root certificates required by the Kepware bootstrap. Primary Solutions

    Apply Windows Updates: The most direct fix is to connect the machine to the internet and run all pending Windows Updates to automatically refresh the certificate store.

    Manual Certificate Installation: If updates are not possible, you must manually import the missing root certificates into the Trusted Root Certification Authorities store for the Local Machine.

    Check Registry Settings: Ensure that HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate is not set to 1. Step-by-Step Manual Import Process

    If you have obtained the required .cer or .crt files from PTC Support, follow these steps: Using Certificate Manager:

    Open the Run dialog (Win + R), type certmgr.msc, and press Enter.

    Right-click Trusted Root Certification Authorities > All Tasks > Import. Select Local Machine as the store location. Browse for your certificate file and complete the wizard. Using Command Line: Run the Command Prompt as an Administrator. Execute: certutil -addstore "Root" . Common Troubleshooting Scenarios Recommended Action Windows 7 Systems

    Updates may no longer be available; contact support for a manual certificate package or request an older, compatible version of Kepware. Bootstrap Log Errors

    Check logs at C:\Program Files (x86)\Kepware\KEPServerEX\bootstrap.log. Look for error code 0x65B, which confirms missing GlobalSign or VeriSign roots. OPC UA Trust Issues

    If the installer finishes but connections fail, use the OPC UA Configuration Manager to swap and trust client/server certificates.

    If you're in a test/air-gapped environment and must proceed:

    Method: Use an older offline installer
    Some legacy Kepware versions (pre-6.x) do not enforce online root certificate validation.

    Method: Modify hosts file
    Block the installer from reaching certificate validation endpoints:

    127.0.0.1 crl.digicert.com
127.0.0.1 ocsp.digicert.com

    Note: This is insecure and unsupported by Kepware.