Kepware The Installer Was Unable To Find Required Root Certificates Exclusive Guide

To fix the problem, you must understand the root cause. In modern Windows environments, software vendors digitally sign their installers and executables using code-signing certificates. These certificates are issued by trusted Certificate Authorities (CAs) like DigiCert, GlobalSign, or Sectigo.

If your computer is in an air-gapped environment and cannot connect to Windows Update, you can manually update the certificate trust list (CTL). This is the most technical but essential method for offline industrial systems.

: If the machine must remain offline, you can manually import the required certificates from a machine that has them:

In the interconnected world of industrial automation, Kepware stands as a ubiquitous bridge, translating disparate device protocols into a unified language for supervisory control and data acquisition (SCADA) systems. However, even the most robust software is susceptible to the invisible infrastructure of modern cybersecurity: digital certificates. A technician encountering the error message—“The installer was unable to find required root certificates exclusive”—has stumbled upon a silent, fundamental breakdown in trust. This error is not a mere glitch but a symptom of a missing link in the chain of cryptographic authentication, one that prevents Kepware from verifying its own integrity or communicating over secure channels. Understanding this error requires delving into the purpose of root certificates, the heightened security of contemporary Windows environments, and the specific conditions under which Kepware’s installer fails to locate them. To fix the problem, you must understand the root cause

Method 1: Apply Windows Updates (Best for Connected Systems)

) to identify exactly which certificate check is failing (e.g., error code

: You can verify if the installer is trusted by running certutil -hashfile SHA256 in a command prompt and checking for errors related to the digital signature. If your computer is in an air-gapped environment

The "exclusive" nature of this error means the installer is strictly enforcing security. By manually placing the or Sectigo roots into the Trusted Root Certification Authorities store, you satisfy the installer’s security check without needing to compromise your air-gapped network.

Locate the policy: .

Depending on your security posture, there are two main approaches: updating Windows or manually installing the missing certificates. However, even the most robust software is susceptible

Why would such a root certificate be absent on a functional Windows machine? The answer lies in the evolution of operating systems and the fragmentation of industrial PC environments. Many factory-floor PCs run on legacy versions of Windows (7, Embedded Standard, or early Windows 10 builds) that have outdated or manually curated root certificate stores. Unlike consumer PCs that receive automatic updates via Windows Update, industrial PCs are often air-gapped or locked down to maintain stability, meaning they never receive the automatic root certificate updates released monthly by Microsoft. Consequently, when a newer Kepware installer—built and signed using a CA that came into prominence after the OS’s last update—runs on such a machine, the OS’s root store has no record of that CA. The installer queries the system, receives a “not found” response, and halts with the cryptic root certificate error.

: Systems that cannot reach Windows Update often lack the latest Certificate Revocation Lists (CRLs) and new root certificates.

The "Installer was unable to find required root certificates" error in Kepware occurs primarily on offline systems due to missing root certificate authorities, which prevents digital signature verification. Resolving this issue involves manually importing the necessary DigiCert or GlobalSign root certificates into the Windows Trusted Root store using the For more details, visit PTC Support

"The Installer was unable to find required root certificates" typically occurs during the installation or upgrade of KEPServerEX (versions 5.20.396.0 to 7.0) or ThingWorx Kepware Server

PTC Kepware signs its software installers to ensure authenticity and integrity. Modern installers use newer cryptographic standards (e.g., SHA-256) that require trusted to be present in the Windows Certificate Store.