A certificate chain could not be built to a trusted root authority

Security Update for Microsoft .NET Framework 4.X (KB3135996 or KB3136000) may fail with the below error message: Installation failed with error code: (0x800B010A), "A certificate chain could not be built to a trusted root authority."

As per the install log:

C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp Signature could not be verified for NDP45-KB3135996.msp
No FileHash provided. Cannot perform FileHash verification for NDP45-KB3135996.msp
File NDP45-KB3135996.msp (C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp), failed authentication(Error = -2146762486). It is recommended that you delete this file and retry setup again.
Failed to verify and authenticate the file -C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp
Please delete the file, C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp and run the package again

According to the CAPI2 event messages inside the log:


                                                                                 <URL scheme="http">http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt </URL>

                                                                                 <Object type="CONTEXT_OID_CERTIFICATE" constant="1"/>


                                                                                 <Flags value="286005" CRYPT_RETRIEVE_MULTIPLE_OBJECTS="true" CRYPT_WIRE_ONLY_RETRIEVAL="true" CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL="true" CRYPT_OFFLINE_CHECK_RETRIEVAL="true" CRYPT_AIA_RETRIEVAL="true" CRYPT_PROXY_CACHE_RETRIEVAL="true"/>


                                                                                                      <Action name="NetworkRetrievalTimeout">

                                                                                                                          <Error value="5B4">This operation returned because the timeout period expired. </Error>



                                                                                 <EventAuxInfo ProcessName="Setup.exe"/>

                                                                                 <CorrelationAuxInfo TaskId="{98B7F5D9-09DF-4158-8662-72272FA6171C}" SeqNumber="9"/>

                                                                                 <Result value="5B4">This operation returned because the timeout period expired.</Result>


This issue occurs when this certificate MicRooCerAut2011_2011_03_22.cer is missing particularly when you operate in an environment that's disconnected from the Internet or that has a firewall that blocks content from the following URL: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en This behavior is due to recent changes to Microsoft Windows Enforcement of Authenticode Code Signing and Timestamping.

In order to resolve this issue, please try the below steps:

·         Download the certificate http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt  locally (Example: C:\Temp)
·         You can use the certmgr.exe utility to add the certificate by using command line. For more information, see the
Certmgr.exe (Certificate Manager Tool) topic at MSDN.
·         Open an admin command prompt and run this command: certmgr.exe /add  C:\Temp\MicRooCerAut2011_2011_03_22.cer /s /r localMachine root
·         Next try installing the patch KB3135996 or KB3136000

Alternatively, you can download and install KB2813430 and then manage certificates individually: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en 

For more information, see the Configure trusted roots and disallowed certificates & Install a Root Certification Authority on offline machines topics at TechNet.

Comments (11)
  1. Adam Austin says:

    To install the certificate in the third bullet, you might want to use certutil rather than certmgr: certutil -addstore root . Cleaner utility in my opinion. Also, if you configure your systems to be in compliance with DoD STIGs, there is a registry key you will want to check to see if it is preventing install of .NET patches: HKU\\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing “State” key. If you set this key to be the value required in the .NET 4 STIG, it may prevent install of patches in a disconnected environment.

    1. Andi B. says:

      You made my day!!

  2. Andy Newton says:

    Worked perfectly.

  3. Jeremy says:

    Thank you. The command above should read with a .crt instead of a .cer.
    “certmgr.exe /add C:\Temp\MicRooCerAut2011_2011_03_22.crt /s /r localMachine root”

  4. David says:

    Works like a charm! Thank you!

  5. Edward Tisdale says:

    You can also extract the .exe and run the .msp.

    [patch.exe] /s /x /b ‘[export path]’ /v ” /qn ”
    Then run the [export path].msp.

  6. asda says:

    it works. Thannks!@

  7. Cristian Stefan says:

    Thank you for the solution is working perfectly.

  8. Racquel Vanzant says:

    You have the extension wrong for the cert file!!!

  9. Hajoutak says:

    It was great to get here and at last it worked perfectly

Comments are closed.

Skip to main content