Kepware The Installer Was Unable To - Find Required Root Certificates Exclusive

To understand the error, we must first understand how modern Windows software (especially software dealing with secure communications like OPC UA) validates its authenticity.

To fix the problem, you must understand the root cause. In modern Windows environments, software vendors digitally sign their installers and executables using code-signing certificates. These certificates are issued by trusted Certificate Authorities (CAs) like DigiCert, GlobalSign, or Sectigo.

When you run the Kepware installer, it performs the following checks:

The error message appears when the Windows operating system does not trust the authority that issued Kepware’s digital signature.

If you're in a test/air-gapped environment and must proceed: To understand the error, we must first understand

Method: Use an older offline installer
Some legacy Kepware versions (pre-6.x) do not enforce online root certificate validation.

Method: Modify hosts file
Block the installer from reaching certificate validation endpoints:

127.0.0.1 crl.digicert.com
127.0.0.1 ocsp.digicert.com

Note: This is insecure and unsupported by Kepware.

After applying the solution:

Scenario: A manufacturing plant attempts to upgrade Kepware 6.14 to 6.15 on a Siemens SIMATIC IPC (Windows 10 IoT LTSC, no internet).

Error: "The installer was unable to find required root certificates exclusive."

Steps Taken:

Lesson Learned: For air-gapped OT environments, manual certificate import is the exclusive, reliable fix. The error message appears when the Windows operating

Root certificates are the backbone of Public Key Infrastructure (PKI). When you install Kepware, the installer checks for specific trusted Certificate Authorities (CAs) in your Windows Trusted Root Certification Authorities store. These certificates validate the digital signatures of Kepware’s drivers, DLLs, and kernel-level components.

The most common missing certificates for Kepware are:

In some cases, the Windows certificate store itself may be corrupted, or specific Group Policy Objects (GPOs) may be stripping out third-party root certificates, leaving the machine unable to trust commercial software vendors.