Sometimes when installing OBRM v5.2 or later, you may see an error that reads something like:

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

There may be multiple reasons for this message to appear, and we would like to highlight the most possible ones and provide you with possible workarounds.

From what we have seen there seem to be 2 certificates that it could be having trouble with.

The first is the DigiCert Assured ID Root CA, which is the one we use for signing our installer. The second is the Microsoft Root Authority, used by Microsoft.

To check for the presence of these certificates, go to control panel > internet options > Content > and click certificates. In the Certificates dialog that appears, go to "Trusted Root Certification Authorities" and look for the "Microsoft Root Authority" and "DigiCert Assured ID Root CA".

To confirm they are the correct versions double click on each one and confirm the serial number against the ones below:
"DigiCert Assured ID Root CA"
0C:E7:E0:E5:17:D8:46:FE:8F:E5:60:FC:1B:F0:30:39
"Microsoft Root Authority"
00:c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40

If the versions do not match you will have to reinstall them. You can get the DigiCert one from [this website](https://www.digicert.com/digicert-root-certificates.htm){:target=\_blank}. We were not able to find anywhere that Microsoft has made their certificate available for download. It should be installed by default on all systems from XP up. So if it is missing (and you didn't do anything to specifically remove it) there may be something worse going on in windows than not being able to install our agent. It looks like you may be able to get it from Windows updates, but we are not certain that this is the case. If not then the best way to get the certificate will be to do a clean install of this version of windows on another box then export it from there and import it to this system.

The most likely reason for this issue to happen is Windows does not have necessary Windows update and/or hotfixes. That is especially the case for Windows Server 2003. Please install all the online and offline updates, including the ones mentioned in the ones mentioned in the articles that you can find by using [this](https://support.microsoft.com/en-us/kb/968730){:target=\_blank}.
To import the certificate:

Run mmc.exe to launch the Microsoft Management Console Under File, go to Add\Remove Snap-in Select and add Certificates from the available snap-ins. Select Computer account and click Next. Select Local computer and click Finish. Click OK.In the MMC, expand Certificates - Trusted Root Certificate Authorities - Certificates Right click Certificates - All Tasks - Import Follow the prompts to import the certificate.

Other possible certificates needed are:

Verisign cert can be found: (necessary for the DR agent)
https://www.tbs-certificates.co.uk/FAQ/en/verisign-universal-root.html

Digicert can be downloaded:
https://www.digicert.com/digicert-root-certificates.htm

Godaddy

verifying you have the correct GoDaddy root and intermediate certificates.
Go to control panel > internet options > Content > and click certificates.
In the Certificates dialog that appears, go to "Trusted Root Certification Authorities" and look for the "Go Daddy Root Certificate Authority - G2".
The thumbprint is: 47beabc922eae80e78783462a79f45c254fde68b

If that is not in there or has a different thumbprint, you can go to https://certs.godaddy.com/repository and get the one labeled "GoDaddy Class 2 Certification Authority Root Certificate - G2".

To import the certificate:
Run mmc.exe to launch the Microsoft Management Console Under File, go to Add\Remove Snap-in Select and add Certificates from the available snap-ins. Select Computer account and click Next. Select Local computer and click Finish. Click OK. In the MMC, expand Certificates - Trusted Root Certificate Authorities - Certificates Right click Certificates - All Tasks - Import Follow the prompts to import the certificate.


Both of these need to be imported to the server with the issue, and installed to the trusted root certification authorities store. Once we had done that the system was able to install the agents.

Microsoft has a program called Microsoft Root Certificate Program to distribute root certificates to Windows clients and devices. Microsoft published a list of members of the Root Certification Program on Technet. This list will be updated as new CAs are added to the program.