Root Certificate Error


You're trying to install Microsoft updates and you see the following error: " A certificate chain processed but terminated in a root certificate which is not trusted by the trust provider ".


This error occurs when the application you try to install is being signed by a set of new certificates that require updates. Typically, the Windows root certificate program automatically downloads these new root certificates. However, the Windows root certificate program may not function as expected if the computer is disconnected from the internet or if the root certificates update is disabled through Group Policy.


For updating trusted Certificates offline, kindly follow the steps below : 

  1. Generate root.sst file. The file gets downloaded in the C drive. 
    certutil.exe -generateSSTFromWU C:/root.sst
  2. Download Trusted Certficate List from Windows Update: link
  3. Download Disallowed Certificate List from Windows Update: link
  4. Move root.sst, and files to a different folder (the and files will get downloaded in the downloads folder).
  5. Execute the commands given below:
    cd <path to folder>
    certutil.exe -addstore -f root root.sst
    expand.exe -F:* authroot.stl
    expand.exe -F:* disallowedcert.stl
    certutil.exe -addstore -f root authroot.stl
    certutil.exe -addstore -f disallowed disallowedcert.stl

If the issue persists even after following the above mentioned resolution, please feel free to contact Support