The error message "The installer was unable to find required root certificates" typically occurs when the KEPServerEX installer cannot verify its digital signature because the target machine's operating system lacks updated certificate authorities (CAs). This is common on offline systems or older versions like Windows 7 and Server 2016. Primary Resolutions
To resolve this, you must ensure the host machine trusts the certificates used by PTC Kepware.
Apply Windows Updates: The most direct fix is to connect the machine to the internet and run Windows Update to automatically refresh the local Trusted Root Certification Authorities store.
Manual Certificate Installation: If the machine is offline, you must manually install the required root certificates (such as those from GlobalSign or VeriSign).
Obtain the missing root certificates (typically .cer or .crt files) from a machine with internet access or via PTC Support.
Right-click the certificate file and select Install Certificate. Choose Local Machine as the store location.
Manually select Trusted Root Certification Authorities as the certificate store rather than letting Windows choose automatically.
Use Batch/Registry Files: For bulk deployments or specific environments, PTC and security vendors like Trellix provide .bat or .reg files that automate the import of necessary 2024/2025 root certificates. Troubleshooting Specific Scenarios
Windows 7 / Server 2008 R2: These versions often lack the SHA-256 support needed for modern installers. Ensure the SHA-2 support update is installed. The error message " The installer was unable
Verification Check: You can verify if the installer is trusted by running certutil -hashfile in a command prompt and checking for errors related to the digital signature.
Support Ticket: If manual installation fails, PTC Kepware Support recommends opening a ticket through My Kepware to receive the specific certificate chain files required for your server version.
Are you working on an offline machine or an older operating system version?
The primary cause of this error is the absence of specific Trusted Root Certification Authorities within the Windows certificate store. Kepware installers are digitally signed to ensure integrity and authenticity. When the installer runs, it checks the local machine's certificate store to validate that signature.
This issue most frequently occurs in the following scenarios:
PTC (the parent company of Kepware) allows certain deployment flags for silent installations. You can attempt to bypass the root certificate requirement using the DISABLE_CERT_WRAPPER=1 property.
Method: Open Command Prompt as Administrator and navigate to the folder containing the installer. Run:
KEPServerEX.6.xx.xxx.x.exe DISABLE_CERT_WRAPPER=1 /quiet /norestart
Warning: This bypasses signature validation. Only use this in a trusted, isolated network where you are certain the installer binary has not been tampered with. This is not recommended for production SCADA environments but can resolve the "exclusive" lock error in lab/test settings. Offline or Isolated Machines: The target computer may
This error is a defensive security feature, not a bug. It ensures that Kepware components are properly signed and untampered. Attempting to bypass the check without updating the root store is strongly discouraged in production or regulated environments (NERC CIP, IEC 62443, FDA, etc.).
If the problem persists after trying the steps above, contact PTC Kepware support with the installer log – they can provide the exact thumbprint of the required root certificate for your product version.
Troubleshooting the Kepware Error: "The installer was unable to find required root certificates"
If you are trying to install or update Kepware’s KEPServerEX and you’re hit with the error "The installer was unable to find required root certificates," you aren't alone. This is a common roadblock, especially on industrial PCs (IPCs) or servers that are kept offline for security reasons. Why Is This Happening?
Modern software installers use digital signatures to prove they haven't been tampered with. Kepware uses certificates issued by authorities like DigiCert or Sectigo.
When you run the installer, Windows tries to verify these signatures. If your operating system is missing the specific "Root Certificates" needed to validate those signatures—and the computer cannot connect to the internet to download them automatically—the installer will abort to protect the system. Solution 1: The "Quick Fix" (Internet Access)
If the machine can be temporarily connected to the internet: Connect the machine to the web. Run the Kepware installer again.
Windows will automatically reach out to the Microsoft Root Certificate Program in the background, download what it needs, and the error should vanish. Solution 2: Manual Certificate Update (Offline Method) Solution 3: Bypass Certificate Check via Command Line
Since many Kepware instances run on isolated OT (Operational Technology) networks, you likely need to move the certificates manually using a USB drive. Step 1: Identify the Missing Certificate
Usually, the installer is looking for the DigiCert Trusted Root G4 or a similar modern root. You can check which one is missing by right-clicking the Kepware .exe file, selecting Properties > Digital Signatures > Details > View Certificate. Step 2: Download the Roots from a Connected PC On a computer with internet access: Go to the DigiCert Trusted Root Authority page.
Download the DigiCert Trusted Root G4 (or the specific one identified in Step 1) in .crt or .der format. Step 3: Install on the Offline Machine Move the file to the offline server. Double-click the certificate and click Install Certificate. Choose Local Machine.
Crucial Step: Do not let Windows "Automatically select the certificate store." Instead, choose Place all certificates in the following store and browse to Trusted Root Certification Authorities. Finish the import and restart the Kepware installer. Solution 3: Update via Windows Update (WSUS)
If your company uses a WSUS (Windows Server Update Services) server to manage updates:
Ensure that Root Certificate Updates are approved for your group of industrial computers.
Many admins disable these to "harden" the system, but it frequently breaks installers for signed drivers and industrial software. Summary for Success
The "exclusive" nature of this error means the installer is strictly enforcing security. By manually placing the DigiCert or Sectigo roots into the Trusted Root Certification Authorities store, you satisfy the installer’s security check without needing to compromise your air-gapped network.
Are you running this on an older version of Windows like Server 2012 or Windows 7, which might require a specific KB update for code signing?
There are two primary methods to resolve this issue, ranging from the automated approach (recommended) to the manual approach (for strictly offline systems).