Kepware The Installer Was Unable To Find Required Root Certificates Exclusive -

Technical Deep Dive: Resolving the "Kepware Installer Unable to Find Required Root Certificates" Error When deploying Kepware industrial connectivity solutions (such as KEPServerEX), IT and automation engineers may encounter a specific, cryptic installation failure:

"The installer was unable to find required root certificates."

This error typically halts the installation process immediately, preventing any Kepware product from being installed. Below is an exclusive breakdown of why this happens and how to resolve it permanently. What the Error Actually Means The Kepware installer is not referring to user certificates or machine SSL certificates. Instead, it is checking for specific Microsoft-trusted root certificates required to verify the digital signature of Kepware’s own binaries and dependencies during installation. In modern Windows environments (especially Windows 10/11, Server 2016/2019/2022), the installer attempts to validate:

Code-signing certificates – Used to sign Kepware.exe , DLLs, and drivers. Timestamping certificates – Used to verify that signatures were applied while the certificate was still valid. Intermediate CA certificates – The chain linking Kepware’s certificate to a trusted root. Instead, it is checking for specific Microsoft-trusted root

If any certificate in the chain is missing or untrusted, the installer aborts to prevent execution of potentially tampered software. Primary Causes | Cause | Explanation | |-------|-------------| | Offline or air-gapped machine | The installer cannot contact Microsoft’s Certificate Trust List (CTL) or Windows Update to download missing roots. | | Stale or corrupted root certificate store | Previous software or security policies have removed or blocked default Microsoft roots. | | Highly restricted Group Policy | Certificate Auto-Enrollment or Trusted Root Certification Authorities policies prevent automatic root update. | | Outdated OS image | Base Windows image lacks recent root certificate updates (common in legacy templates). | | Third-party security software | AV or endpoint protection intercepts and blocks root certificate download. | Step-by-Step Resolution 1. Manual Root Certificate Update (Most Common Fix) On the affected machine, update the trusted root certificate list manually:

Open Command Prompt as Administrator . Run: certutil -generateSSTFromWU roots.sst certutil -addstore Root roots.sst

This downloads the latest Microsoft root certificate bundle and imports it. across SCADA nodes):

2. Install Specific Missing Certificate If the above fails, extract the exact required root:

On an internet-connected machine , download the Kepware installer. Run the installer until it fails. Navigate to %temp% and locate the extracted installer logs (e.g., Kepware_Install.log ). Look for a line like: Error: Missing root certificate – SHA1:  xx xx xx ...

Use certmgr.msc on a working machine to export the matching root certificate. Transfer and import it on the target machine via: certutil -addstore Root "path\to\exported.cer" trusted OT environments.

3. Bypass (Not Recommended – Only for Trusted Internal Networks) For legacy systems where security validation is not critical, you can disable root certificate verification using a command-line switch (if supported by the Kepware installer version): KepwareInstaller.exe /SkipRootCheck

Note: This switch is not officially documented for all versions and should be used only in isolated, trusted OT environments. 4. Permanent Prevention in Industrial Environments For organizations deploying multiple Kepware instances (e.g., across SCADA nodes):

Technical Deep Dive: Resolving the "Kepware Installer Unable to Find Required Root Certificates" Error When deploying Kepware industrial connectivity solutions (such as KEPServerEX), IT and automation engineers may encounter a specific, cryptic installation failure:

"The installer was unable to find required root certificates."

This error typically halts the installation process immediately, preventing any Kepware product from being installed. Below is an exclusive breakdown of why this happens and how to resolve it permanently. What the Error Actually Means The Kepware installer is not referring to user certificates or machine SSL certificates. Instead, it is checking for specific Microsoft-trusted root certificates required to verify the digital signature of Kepware’s own binaries and dependencies during installation. In modern Windows environments (especially Windows 10/11, Server 2016/2019/2022), the installer attempts to validate:

Code-signing certificates – Used to sign Kepware.exe , DLLs, and drivers. Timestamping certificates – Used to verify that signatures were applied while the certificate was still valid. Intermediate CA certificates – The chain linking Kepware’s certificate to a trusted root.

If any certificate in the chain is missing or untrusted, the installer aborts to prevent execution of potentially tampered software. Primary Causes | Cause | Explanation | |-------|-------------| | Offline or air-gapped machine | The installer cannot contact Microsoft’s Certificate Trust List (CTL) or Windows Update to download missing roots. | | Stale or corrupted root certificate store | Previous software or security policies have removed or blocked default Microsoft roots. | | Highly restricted Group Policy | Certificate Auto-Enrollment or Trusted Root Certification Authorities policies prevent automatic root update. | | Outdated OS image | Base Windows image lacks recent root certificate updates (common in legacy templates). | | Third-party security software | AV or endpoint protection intercepts and blocks root certificate download. | Step-by-Step Resolution 1. Manual Root Certificate Update (Most Common Fix) On the affected machine, update the trusted root certificate list manually:

Open Command Prompt as Administrator . Run: certutil -generateSSTFromWU roots.sst certutil -addstore Root roots.sst

This downloads the latest Microsoft root certificate bundle and imports it.

2. Install Specific Missing Certificate If the above fails, extract the exact required root:

On an internet-connected machine , download the Kepware installer. Run the installer until it fails. Navigate to %temp% and locate the extracted installer logs (e.g., Kepware_Install.log ). Look for a line like: Error: Missing root certificate – SHA1:  xx xx xx ...

Use certmgr.msc on a working machine to export the matching root certificate. Transfer and import it on the target machine via: certutil -addstore Root "path\to\exported.cer"

3. Bypass (Not Recommended – Only for Trusted Internal Networks) For legacy systems where security validation is not critical, you can disable root certificate verification using a command-line switch (if supported by the Kepware installer version): KepwareInstaller.exe /SkipRootCheck

Note: This switch is not officially documented for all versions and should be used only in isolated, trusted OT environments. 4. Permanent Prevention in Industrial Environments For organizations deploying multiple Kepware instances (e.g., across SCADA nodes):