Sometimes when installing OBRM v5.2 or later, you may see an error that reads something like:

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

There may be a few reasons for this message to appear, and we’d like to highlight the most possible ones and provide you with possible workarounds.

From what we’ve seen there seem to be 2 certificates that it could be having trouble with.

The first is the DigiCert Assured ID Root CA, which is the one we use for signing our installer. The second is the Microsoft Root Authority, used by Microsoft.

To check for the presence of these certificates:

  1. In the Control Panel, go to Internet Options > Content, and then click Certificates.

  2. In the Certificates dialog, go to Trusted Root Certification Authorities.

  3. Look for Microsoft Root Authority and DigiCert Assured ID Root CA.

  4. To confirm they’re the correct versions, double-click each and check the serial number against the following:

    "DigiCert Assured ID Root CA"
    0C:E7:E0:E5:17:D8:46:FE:8F:E5:60:FC:1B:F0:30:39
    "Microsoft Root Authority"
    00:c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
    

If the versions don’t match you will have to reinstall them. You can get the DigiCert one from this website. We weren’t able to find anywhere that Microsoft has made their certificate available for download. It should be installed by default on all systems from XP up. So if it’s missing (and you didn’t do anything to specifically remove it), there may be something worse going on in Windows than not being able to install our agent. It looks like you may be able to get it from Windows updates, but we’re not certain that this is the case. If not, then the best way to get the certificate will be to do a clean install of this version of Windows on another box than to export it from there and import it to this system.

The most likely reason for this issue to happen is Windows doesn’t have necessary Windows update or hotfixes. That’s especially the case for Windows Server 2003. Please install all the online and offline updates, including the ones mentioned in the articles that you can find here.

To import the certificate:

  1. In the Microsoft Management Console, go to File > Add/Remove Snap-in.

  2. Select Certificates from the available snap-ins, and then click Add.

  3. In the open window, select Computer account, and then click Next.

  4. Select Local computer, click Finish, and then click OK.

  5. In Microsoft Management Console, go to Certificates > Trusted Root Certification Authorities.

  6. Right-click Certificates, and select All Tasks > Import.

    Follow the instructions to import the certificate.

Other possible certificates needed are:

  • Verisign certificate ((necessary for the DR agent))

  • Digicert certificate

  • Godaddy

    To verify you have the correct GoDaddy root and intermediate certificates:

    1. In the Control Panel, go to Internet Options > Content, and then click Certificates.

    2. In the open window, go to Trusted Root Certification Authorities, and look for Go Daddy Root Certificate Authority – G2.

The thumbprint is: 47beabc922eae80e78783462a79f45c254fde68b

If that’s not in there or has a different thumbprint, you can go here and get the one labeled GoDaddy Class 2 Certification Authority Root Certificate – G2.

To import the certificate:

  1. In the Microsoft Management Console, go to File > Add/Remove Snap-in.

  2. Select Certificates from the available snap-ins, and then click Add.

  3. In the open window, select Computer account, and then click Next.

  4. Select Local computer, click Finish, and then click OK.

  5. In Microsoft Management Console, go to Certificates > Trusted Root Certification Authorities.

  6. Right-click Certificates, and select All Tasks > Import.

    Follow the instructions to import the certificate.

Both of these need to be imported to the server with the issue, and installed to the trusted root certification authorities store. Once you do this, the system should be able to install the agents.

Microsoft has a program called Microsoft Root Certificate Program to distribute root certificates to Windows clients and devices. Microsoft published the list of members of the Root Certification Program on Technet. This list is updated as new certificates are added to the program.