Sometimes when installing OBRM v5.2 or later, you may see an error that reads something like:

Error message

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Error description

This error may show when installing OBRM 5.2 or later.

There may be a few reasons for this message to appear, and we would like to highlight the most possible ones and provide you with possible workarounds.

From what we have seen there seem to be 2 certificates that it could be having trouble with.

The first is the DigiCert Assured ID Root CA, which is the one we use for signing our installer. The second is the Microsoft Root Authority, used by Microsoft.

Steps to resolve

To check for the presence of these certificates:

  1. In the Control Panel, go to Internet Options > Content, and then click Certificates.

  2. In the Certificates dialog, go to Trusted Root Certification Authorities.

  3. Look for Microsoft Root Authority and DigiCert Assured ID Root CA.

  4. To confirm they are the correct versions, double-click each and check the serial number against the following:

    "DigiCert Assured ID Root CA"
    0C:E7:E0:E5:17:D8:46:FE:8F:E5:60:FC:1B:F0:30:39
    "Microsoft Root Authority"
    00:c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
    

If the versions do not match, you will have to uninstall and install them again. You can get the DigiCert one from this website. We were not able to find anywhere that Microsoft has made their certificate available for download. It should be installed by default on all systems from XP up. So if it is missing (and you did not do anything to specifically remove it), there may be something worse going on in Windows than not being able to install our agent. It looks like you may be able to get it from Windows updates, but we are not certain that this is the case. If not, then the best way to get the certificate will be to do a clean install of this version of Windows on another box than to export it from there and import it to this system.

The most likely reason for this issue to happen is Windows does not have necessary Windows update or hotfixes. That is especially the case for Windows Server 2003. Please install all the online and offline updates, including the ones mentioned in the articles that you can find here.

To import the certificate:

  1. In the Microsoft Management Console, go to File > Add/Remove Snap-in.

  2. Select Certificates from the available snap-ins, and then click Add.

  3. In the open window, select Computer account, and then click Next.

  4. Select Local computer, click Finish, and then click OK.

  5. In Microsoft Management Console, go to Certificates > Trusted Root Certification Authorities.

  6. Right-click Certificates, and select All Tasks > Import.

    Follow the instructions to import the certificate.

Other possible certificates needed are:

  • Verisign certificate ((necessary for the DR agent))

  • DigiCert certificate

  • GoDaddy

    To verify you have the correct GoDaddy root and intermediate certificates:

    1. In the Control Panel, go to Internet Options > Content, and then click Certificates.

    2. In the open window, go to Trusted Root Certification Authorities, and look for Go Daddy Root Certificate Authority – G2.

The thumbprint is 47beabc922eae80e78783462a79f45c254fde68b.

If that is not there, or it has a different thumbprint, you can go here and get the one labeled GoDaddy Class 2 Certification Authority Root Certificate – G2.

To import the certificate:

  1. In the Microsoft Management Console, go to File > Add/Remove Snap-in.

  2. Select Certificates from the available snap-ins, and then click Add.

  3. In the open window, select Computer account, and then click Next.

  4. Select Local computer, click Finish, and then click OK.

  5. In Microsoft Management Console, go to Certificates > Trusted Root Certification Authorities.

  6. Right-click Certificates, and select All Tasks > Import.

    Follow the instructions to import the certificate.

Both of these need to be imported to the server with the issue, and installed to the trusted root certification authorities store. Once you do this, the system should be able to install the agents.

Microsoft has a program called Microsoft Root Certificate Program to distribute root certificates to Windows clients and devices. Microsoft published the list of members of the Root Certification Program on TechNet. This list is updated as new certificates are added to the program.