Kepware The Installer Was Unable To Find Required Root Certificates Exclusive May 2026
The error "kepware the installer was unable to find required root certificates exclusive" is not a bug in Kepware itself. It is a symptom of an outdated or misconfigured Windows certificate store. In an era of increasing cybersecurity standards (IEC 62443, NIST SP 800-53), root certificate validation is a mandatory security control.
By following the solutions in this guide—updating Windows root certificates, manually importing the missing CAs, or using advanced bypass switches—you will restore the ability to install Kepware on any industrial PC.
Quick Summary Checklist:
If you have followed all five solutions and still face the error, your Windows installation may have deeper corruption. Run sfc /scannow and DISM /Online /Cleanup-Image /RestoreHealth before contacting PTC Technical Support.
Remember: In the OT world, security and connectivity must coexist. Maintaining a healthy root certificate store is not just about installing Kepware—it is about ensuring the integrity of your entire industrial control system.
Keywords integrated: kepware the installer was unable to find required root certificates exclusive, Kepware installation error, root certificate missing, KEPServerEX installer fails, Windows cryptographic services, PTC Kepware troubleshooting.
This error occurs when the Kepware installer cannot verify the digital signature of its setup files because the required Root Certificate Authorities (CAs) are missing or outdated on your Windows system. This is common on offline machines or older operating systems like Windows 7 that haven't received recent security updates. Immediate Solutions
Run Windows Update: The simplest fix is to connect the machine to the internet and run Windows Update. This automatically refreshes the Trusted Root Certification Authorities store.
Manual Certificate Installation: If the machine must remain offline, you can manually install the missing certificates (typically from GlobalSign, VeriSign, or Microsoft).
Obtain the required .cer or .crt files from a machine with internet access or the PTC Support Portal.
Right-click the certificate file and select Install Certificate. Choose Local Machine as the store location.
Manually select the Trusted Root Certification Authorities store rather than letting Windows choose automatically. Complete the wizard and restart the Kepware installer. Alternative Command Line Method
You can also use the Windows certutil tool to force the installation of a certificate via the Command Prompt (Run as Administrator): certutil -addstore "Root" Why This Happens
Newer versions of KEPServerEX (v6.7 and later) use advanced code-signing certificates to ensure the software hasn't been tampered with. If your system's "trusted list" doesn't recognize the authority that signed the Kepware installer, Windows blocks the process to protect the system.
For further assistance, you can refer to the official PTC Kepware Support Article CS292168 or open a ticket at My Kepware if manual installation fails.
The error message "The installer was unable to find required root certificates" typically occurs during the installation or upgrade of PTC Kepware products when the Windows operating system lacks the necessary updated root certificates to verify the installer's digital signature. This is common on systems that are offline or have disabled Windows Updates, as they cannot automatically download new Certificate Revocation Lists (CRLs) or Trusted Root CAs. Primary Solutions The error "kepware the installer was unable to
To resolve this issue, you must ensure the system can trust the certificates used by the Kepware installer.
Run Windows UpdateThe most straightforward fix is to connect the machine to the internet and run Windows Update. This allows the OS to automatically update its Trusted Root Certification Authorities store.
Manual Certificate InstallationIf the server must remain offline or cannot be updated, you must manually install the required root certificates (often from issuers like GlobalSign or VeriSign):
Obtain the necessary root certificate files (.cer or .crt) from a machine with internet access or directly from the PTC Support Portal.
Right-click the certificate file and select Install Certificate.
In the Certificate Import Wizard, select Local Machine as the store location.
Manually choose the Trusted Root Certification Authorities store for the placement.
Check Bootstrap LogsIf the error persists, review the installation logs to identify which specific certificate is missing. You can find these at: C:\Program Files (x86)\Kepware\KEPServerEX\bootstrap.log
C:\Program Files (x86)\PTC\ThingWorxIndustrialConnectivity\bootstrap.logLook for entries like CheckRootCert, GlobalSign Failed to pinpoint the missing authority. Common Scenarios and Troubleshooting
Legacy Systems: Users on older operating systems like Windows 7 or Windows XP SP3 frequently encounter this because these versions no longer receive automatic certificate updates.
Self-Signed Certificates: If you are trying to connect via OPC UA after installation and see certificate errors, you may need to use the OPC UA Configuration Manager to manually trust the server's self-signed certificate.
Invalid Digital Signature: If you see errors about "invalid digital signatures" alongside the root certificate warning, it often indicates the installer cannot verify its own integrity because the chain of trust is broken at the root level.
If manual installation of GlobalSign or Microsoft root certificates does not work, it is recommended to open a support ticket with the Kepware team for specific offline certificate packages.
This error typically occurs when the Kepware installer cannot verify the digital signatures of its own installation files because the host operating system is missing essential root certificates. This is common on systems that are offline or have not received recent Windows Updates. Quick Fixes
Apply Windows Updates: The most direct solution is to run Windows Update on the machine. This automatically refreshes the Trusted Root Certification Authorities store. If you have followed all five solutions and
Enable Automatic Root Updates: Ensure your system isn't blocking certificate updates:
Open regedit and navigate to: HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot. Ensure DisableRootAutoUpdate is set to 0.
Manual Certificate Installation: If the machine must remain offline, you can manually import the required certificates from a machine that has them:
Identify the missing certificate (often a VeriSign or DigiCert root used for code signing).
Right-click the certificate file and select Install Certificate.
Choose Local Machine and place it specifically in the Trusted Root Certification Authorities store.
Use Command Line (Admin): You can also use the certutil tool to add certificates: Run Command Prompt as Administrator. Execute: certutil -addstore "Root" . Troubleshooting
If the error persists after these steps, check the installation logs located at C:\Program Files (x86)\Kepware\KEPServerEX\bootstrap.log for specific certificate thumbprints that are failing. You may also find detailed guidance on the PTC Support Portal regarding this specific installer failure. The Installer was unable to find required root certificates
The Kepware installer is not referring to user certificates or machine SSL certificates. Instead, it is checking for specific Microsoft-trusted root certificates required to verify the digital signature of Kepware’s own binaries and dependencies during installation.
In modern Windows environments (especially Windows 10/11, Server 2016/2019/2022), the installer attempts to validate:
If any certificate in the chain is missing or untrusted, the installer aborts to prevent execution of potentially tampered software.
If you're in a test/air-gapped environment and must proceed:
Method: Use an older offline installer
Some legacy Kepware versions (pre-6.x) do not enforce online root certificate validation.
Method: Modify hosts file
Block the installer from reaching certificate validation endpoints:
127.0.0.1 crl.digicert.com
127.0.0.1 ocsp.digicert.com
Note: This is insecure and unsupported by Kepware. Keywords integrated: kepware the installer was unable to
This error is most common in the following scenarios:
This error is a defensive security feature, not a bug. It ensures that Kepware components are properly signed and untampered. Attempting to bypass the check without updating the root store is strongly discouraged in production or regulated environments (NERC CIP, IEC 62443, FDA, etc.).
If the problem persists after trying the steps above, contact PTC Kepware support with the installer log – they can provide the exact thumbprint of the required root certificate for your product version.
The error message "The Installer was unable to find required root certificates" typically occurs during the installation or upgrade of Kepware products (such as KEPServerEX) when the Windows operating system lacks the necessary digital signatures to verify the installer's authenticity. This is common on systems without internet connectivity, those where Windows Updates are disabled, or older versions like Windows 7. Core Causes
Offline Systems: Windows cannot perform a "Root AutoUpdate" to fetch the latest certificates from Microsoft.
Restricted Group Policies: Policies may explicitly disable automatic root certificate updates via registry settings like DisableRootAutoUpdate.
Outdated OS: Systems like Windows 7 or unpatched versions of Windows Server 2016 often lack the modern GlobalSign, VeriSign, or Microsoft root certificates required by the Kepware bootstrap. Primary Solutions
Apply Windows Updates: The most direct fix is to connect the machine to the internet and run all pending Windows Updates to automatically refresh the certificate store.
Manual Certificate Installation: If updates are not possible, you must manually import the missing root certificates into the Trusted Root Certification Authorities store for the Local Machine.
Check Registry Settings: Ensure that HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate is not set to 1. Step-by-Step Manual Import Process
If you have obtained the required .cer or .crt files from PTC Support, follow these steps: Using Certificate Manager:
Open the Run dialog (Win + R), type certmgr.msc, and press Enter.
Right-click Trusted Root Certification Authorities > All Tasks > Import. Select Local Machine as the store location. Browse for your certificate file and complete the wizard. Using Command Line: Run the Command Prompt as an Administrator. Execute: certutil -addstore "Root" . Common Troubleshooting Scenarios Recommended Action Windows 7 Systems
Updates may no longer be available; contact support for a manual certificate package or request an older, compatible version of Kepware. Bootstrap Log Errors
Check logs at C:\Program Files (x86)\Kepware\KEPServerEX\bootstrap.log. Look for error code 0x65B, which confirms missing GlobalSign or VeriSign roots. OPC UA Trust Issues
If the installer finishes but connections fail, use the OPC UA Configuration Manager to swap and trust client/server certificates.
| Cause | Explanation | |-------|-------------| | Offline or air-gapped machine | The installer cannot contact Microsoft’s Certificate Trust List (CTL) or Windows Update to download missing roots. | | Stale or corrupted root certificate store | Previous software or security policies have removed or blocked default Microsoft roots. | | Highly restricted Group Policy | Certificate Auto-Enrollment or Trusted Root Certification Authorities policies prevent automatic root update. | | Outdated OS image | Base Windows image lacks recent root certificate updates (common in legacy templates). | | Third-party security software | AV or endpoint protection intercepts and blocks root certificate download. |