For industrial automation engineers and IT/OT integration specialists, Kepware is a cornerstone technology. As the industry standard for industrial connectivity, Kepware’s suite of products (including KEPServerEX) provides seamless communication between disparate PLCs, sensors, and databases. However, even robust software can encounter cryptic installation blockers.
One of the most frustrating and increasingly common errors during Kepware installation is:
"The installer was unable to find required root certificates exclusive."
This message halts the installation process immediately, providing little context about what "exclusive" means or which certificates are missing. If you are facing this error, you are not alone. This article will dissect the root cause, explain the role of digital certificates in modern industrial software, and provide a definitive, step-by-step solution to bypass this issue permanently.
Maintain a folder on your industrial network containing the .CER files of the top 20 Global Root CAs. This saves hours of troubleshooting during future installations.
For legacy systems where security validation is not critical, you can disable root certificate verification using a command-line switch (if supported by the Kepware installer version):
KepwareInstaller.exe /SkipRootCheck
Note: This switch is not officially documented for all versions and should be used only in isolated, trusted OT environments.
The error "The installer was unable to find required root certificates" is not a bug in Kepware but a reflection of Windows' evolving security model. As cyber-attacks on supply chains increase, code signing becomes more rigorous, and outdated Windows builds are left behind.
By following the methods in this guide—especially the manual import of root certificates for air-gapped networks—you can bypass this roadblock in minutes.
Final Checklist When You See This Error:
Solve the certificate problem, and you’ll be back to connecting your industrial devices in no time.
Need further assistance? Contact PTC Kepware support with the installer log file (located in %temp%/PTC_Kepware_Install.log).
This error typically occurs when your system lacks the updated root certificates required to verify the digital signature of the KEPServerEX installer. It is most common on machines without active internet access or those with disabled Windows Updates.
Fixed: Kepware "Installer was unable to find required root certificates"
If you are trying to install or upgrade KEPServerEX and hit the wall with a "Missing Root Certificates" error, you aren't alone. This safeguard ensures that the installer you are running is authentic and hasn't been tampered with. Why this happens
Modern Kepware installers (v5.20 to v7.x) are digitally signed. During installation, Windows tries to verify this signature against a list of trusted Certificate Authorities (CAs), such as GlobalSign or VeriSign. If your OS cannot find these certificates—often because it hasn't received a Windows Update in a long time—the installer fails to protect you from potentially untrusted software. Step-by-Step Solutions Method 1: The Quick Fix (Run Windows Update) The simplest solution is to let Windows update itself. Go to Settings > Update & Security > Windows Update. Click Check for updates. "The installer was unable to find required root
Once the system is fully updated, restart your computer and try the Kepware installation again. Method 2: Manual Certificate Import (For Offline Machines)
If your server is in an offline environment (OT network), you must manually import the required certificates. You will need to obtain the latest .cer files from a machine that does have internet access.
Open Certificate Manager: Press Win + R, type certmgr.msc, and hit Enter.
Locate the Store: Right-click Trusted Root Certification Authorities > All Tasks > Import.
Import the Root: Follow the wizard to import the missing certificates (typically GlobalSign or Microsoft Root CAs).
Repeat for "Third-Party Root CAs": Ensure the certificates are also present in the Third-Party Root Certification Authorities store. Method 3: Verify the Installer Digital Signature
Before you spend time on certificates, make sure the installer file itself isn't corrupt: Right-click the .exe installer and select Properties. Go to the Digital Signatures tab. Select the signature and click Details.
If it says "This digital signature is OK," your system just needs the root certificates mentioned above. If it says it's invalid, download a fresh copy from the PTC Kepware website. Pro-Tip for Industrial Environments
In many plants, Windows Update is permanently disabled to prevent unexpected reboots. To avoid this error in the future, include Root Certificate Updates as part of your standard server "hardening" or commissioning checklist before moving equipment to the production floor.
Are you seeing specific error codes like 0x65B in your bootstrap logs? Identifying the exact missing certificate can help speed up the manual import process.
The error message "The installer was unable to find required root certificates" typically occurs during the installation or upgrade of PTC Kepware products when the Windows operating system lacks the necessary updated root certificates to verify the installer's digital signature. This is common on systems that are offline or have disabled Windows Updates, as they cannot automatically download new Certificate Revocation Lists (CRLs) or Trusted Root CAs. Primary Solutions
To resolve this issue, you must ensure the system can trust the certificates used by the Kepware installer.
Run Windows UpdateThe most straightforward fix is to connect the machine to the internet and run Windows Update. This allows the OS to automatically update its Trusted Root Certification Authorities store.
Manual Certificate InstallationIf the server must remain offline or cannot be updated, you must manually install the required root certificates (often from issuers like GlobalSign or VeriSign):
Obtain the necessary root certificate files (.cer or .crt) from a machine with internet access or directly from the PTC Support Portal. Run the installer manually
Right-click the certificate file and select Install Certificate.
In the Certificate Import Wizard, select Local Machine as the store location.
Manually choose the Trusted Root Certification Authorities store for the placement.
Check Bootstrap LogsIf the error persists, review the installation logs to identify which specific certificate is missing. You can find these at: C:\Program Files (x86)\Kepware\KEPServerEX\bootstrap.log
C:\Program Files (x86)\PTC\ThingWorxIndustrialConnectivity\bootstrap.logLook for entries like CheckRootCert, GlobalSign Failed to pinpoint the missing authority. Common Scenarios and Troubleshooting
Legacy Systems: Users on older operating systems like Windows 7 or Windows XP SP3 frequently encounter this because these versions no longer receive automatic certificate updates.
Self-Signed Certificates: If you are trying to connect via OPC UA after installation and see certificate errors, you may need to use the OPC UA Configuration Manager to manually trust the server's self-signed certificate.
Invalid Digital Signature: If you see errors about "invalid digital signatures" alongside the root certificate warning, it often indicates the installer cannot verify its own integrity because the chain of trust is broken at the root level.
If manual installation of GlobalSign or Microsoft root certificates does not work, it is recommended to open a support ticket with the Kepware team for specific offline certificate packages.
This error occurs when the Kepware installer cannot verify the digital signature of its setup files because the required Root Certificate Authorities (CAs) are missing or outdated on your Windows system. This is common on offline machines or older operating systems like Windows 7 that haven't received recent security updates. Immediate Solutions
Run Windows Update: The simplest fix is to connect the machine to the internet and run Windows Update. This automatically refreshes the Trusted Root Certification Authorities store.
Manual Certificate Installation: If the machine must remain offline, you can manually install the missing certificates (typically from GlobalSign, VeriSign, or Microsoft).
Obtain the required .cer or .crt files from a machine with internet access or the PTC Support Portal.
Right-click the certificate file and select Install Certificate. Choose Local Machine as the store location.
Manually select the Trusted Root Certification Authorities store rather than letting Windows choose automatically. Complete the wizard and restart the Kepware installer. Alternative Command Line Method Method A: Update via Windows Update
You can also use the Windows certutil tool to force the installation of a certificate via the Command Prompt (Run as Administrator): certutil -addstore "Root" Why This Happens
Newer versions of KEPServerEX (v6.7 and later) use advanced code-signing certificates to ensure the software hasn't been tampered with. If your system's "trusted list" doesn't recognize the authority that signed the Kepware installer, Windows blocks the process to protect the system.
For further assistance, you can refer to the official PTC Kepware Support Article CS292168 or open a ticket at My Kepware if manual installation fails.
Resolving the Kepware Installer "Missing Root Certificates" Error The error message
"The Installer was unable to find required root certificates" typically occurs during the installation or upgrade of KEPServerEX (versions 5.20.396.0 to 7.0) or ThingWorx Kepware Server
. This issue arises when the host operating system lacks the modern root certificates required to verify the digital signature of the installer. Primary Solutions Apply Windows Updates
: The most direct fix is to run Windows Update on the target machine. This allows the OS to automatically download and install the latest Trusted Root Certification Authorities Manual Certificate Installation
: If the machine is offline or cannot be updated, you must manually install the required certificates into the Local Machine Step-by-Step Manual Installation
If Windows Update is not an option, follow these steps to manually update your certificate store: Identify Missing Certificates : Common required root certificates include those from GlobalSign . Specific critical roots often include: GlobalSign Root CA - R3 DigiCert Trusted Root G4 Microsoft Code Verification Root Import via MMC , and press Enter. File > Add/Remove Snap-in Certificates Computer account (Local Computer). Navigate to Trusted Root Certification Authorities > Certificates Right-click, select All Tasks > Import , and browse to your downloaded certificate file. Ensure Correct Storage
: For certificates pushed via Group Policy, the installer may still fail to find them unless they are manually re-installed into the Physical Store (specifically the "Registry" location). Common Troubleshooting Blocks Firewall Interference
: Ensure no firewalls or security software (like Kaspersky) are blocking the installer from verifying signatures online. Bootstrap Logs
: If the error persists, check the installation logs (typically found at C:\Program Files (x86)\Kepware\KEPServerEX\bootstrap.log
) to identify exactly which certificate check is failing (e.g., error code
For further assistance, users are encouraged to open a support ticket via the My Kepware portal download links
for the missing GlobalSign or Microsoft root certificates to begin the manual import? Kepserverex Root Certificate - Google Groups
Method A: Update via Windows Update
Method B: Manual update (if offline or no Windows Update)