Partager via


A certificate chain could not be built to a trusted root authority

Security Update for Microsoft .NET Framework 4.X (KB3135996 or KB3136000) may fail with the below error message: Installation failed with error code: (0x800B010A), "A certificate chain could not be built to a trusted root authority."

As per the install log:

C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp Signature could not be verified for NDP45-KB3135996.msp
No FileHash provided. Cannot perform FileHash verification for NDP45-KB3135996.msp
File NDP45-KB3135996.msp (C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp), failed authentication(Error = -2146762486). It is recommended that you delete this file and retry setup again.
Failed to verify and authenticate the file -C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp
Please delete the file, C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp and run the package again

According to the CAPI2 event messages inside the log:

                                                             <CryptRetrieveObjectByUrlWire>

                                                                                 <URL scheme="http">https://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt</URL>

                                                                                 <Object type="CONTEXT_OID_CERTIFICATE" constant="1"/>

                                                                                 <Timeout>PT15S</Timeout>

                                                                                 <Flags value="286005" CRYPT_RETRIEVE_MULTIPLE_OBJECTS="true" CRYPT_WIRE_ONLY_RETRIEVAL="true" CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL="true" CRYPT_OFFLINE_CHECK_RETRIEVAL="true" CRYPT_AIA_RETRIEVAL="true" CRYPT_PROXY_CACHE_RETRIEVAL="true"/>

                                                                                 <AdditionalInfo>

                                                                                                      <Action name="NetworkRetrievalTimeout">

                                                                                                                          <Error value="5B4">This operation returned because the timeout period expired. </Error>

                                                                                                      </Action>

                                                                                 </AdditionalInfo>

                                                                                 <EventAuxInfo ProcessName="Setup.exe"/>

                                                                                 <CorrelationAuxInfo TaskId="{98B7F5D9-09DF-4158-8662-72272FA6171C}" SeqNumber="9"/>

                                                                                 <Result value="5B4">This operation returned because the timeout period expired.</Result>

                                                </CryptRetrieveObjectByUrlWire>

This issue occurs when this certificate MicRooCerAut2011_2011_03_22.cer is missing particularly when you operate in an environment that's disconnected from the Internet or that has a firewall that blocks content from the following URL: https://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en This behavior is due to recent changes to Microsoft Windows Enforcement of Authenticode Code Signing and Timestamping.

In order to resolve this issue, please try the below steps:

· Download the certificate https://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt  locally (Example: C:\Temp)
· You can use the certmgr.exe utility to add the certificate by using command line. For more information, see the Certmgr.exe (Certificate Manager Tool) topic at MSDN.
· Open an admin command prompt and run this command: certmgr.exe /add C:\Temp\MicRooCerAut2011_2011_03_22.cer /s /r localMachine root
· Next try installing the patch KB3135996 or KB3136000

Alternatively, you can download and install KB2813430 and then manage certificates individually: https://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en 

For more information, see the Configure trusted roots and disallowed certificates & Install a Root Certification Authority on offline machines topics at TechNet.

Comments

  • Anonymous
    April 20, 2016
    The comment has been removed
    • Anonymous
      August 11, 2016
      You made my day!!
  • Anonymous
    April 25, 2016
    Worked perfectly.
  • Anonymous
    July 06, 2016
    Thank you. The command above should read with a .crt instead of a .cer. "certmgr.exe /add C:\Temp\MicRooCerAut2011_2011_03_22.crt /s /r localMachine root"
  • Anonymous
    August 09, 2016
    Works like a charm! Thank you!
  • Anonymous
    August 23, 2016
    You can also extract the .exe and run the .msp.[patch.exe] /s /x /b '[export path]' /v '' /qn ''Then run the [export path].msp.
  • Anonymous
    October 31, 2016
    it works. Thannks!@
  • Anonymous
    December 17, 2016
    Thank you for the solution is working perfectly.
  • Anonymous
    March 07, 2017
    You have the extension wrong for the cert file!!!
  • Anonymous
    March 20, 2017
    It was great to get here and at last it worked perfectly