| Cause | Explanation | |-------|-------------| | | A fresh installation of Windows (especially older builds like 2012 R2, 2016, or LTSC editions) lacks recent root certificate updates. | | Internet Restriction (Air-Gapped) | Kepware is often installed on industrial PCs or SCADA servers that are physically isolated from the internet. Automatic root certificate updates fail. | | Group Policy (GPO) | Corporate security policies have disabled automatic root certificate updates or removed untrusted certificates. | | Corrupt Certificate Store | The Windows certificate store is damaged. | | Time/Date Mismatch | The system clock or timezone is drastically incorrect. Certificate validity depends on accurate time. |
: If manual installation fails, PTC Kepware Support recommends opening a ticket through My Kepware to receive the specific certificate chain files required for your server version.
If the host system has disabled Windows Updates or runs an older OS image that lacks modern root certificates (such as updated VeriSign, DigiCert, or Sectigo roots), the validation process fails immediately.
Kepware, like most modern software, signs its installers with a secure digital certificate. The Windows operating system uses a "Trusted Root Certification Authorities" store to verify these signatures. If your machine is not updated, or if it is running in a locked-down environment (no internet access), it may not recognize the certificate authority used by Kepware, resulting in this failure. Step-by-Step Solutions to Fix Kepware Certificate Error | Cause | Explanation | |-------|-------------| | |
: If manual installation of root certificates does not work, it is recommended to open a support ticket at My Kepware for a remote session. PTC Community direct download links
For a visual interface to manage certificates, use the built-in Microsoft Management Console (MMC) snap-in.
An error return code of 0x65B explicitly confirms that the system's cryptographic functions cannot find a trusted certificate trail. Step-by-Step Solutions | | Group Policy (GPO) | Corporate security
Method 2: Manual Import via Microsoft Management Console (MMC)
To prevent this issue in the future, system administrators managing SCADA or HMI servers should:
: If the machine is offline, you must manually install the required root certificates (such as those from GlobalSign or VeriSign ). Certificate validity depends on accurate time
Modern PTC Kepware installation files are digitally signed to ensure authenticity and code integrity. The Windows CryptoAPI system validates these digital signatures against trusted root certificates stored locally on your machine.
