A certificate chain could not be built to a trusted root authority

Security Update for Microsoft .NET Framework 4.X (KB3135996 or KB3136000) may fail with the below error message: Installation failed with error code: (0x800B010A), "A certificate chain could not be built to a trusted root authority."

As per the install log:

C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp Signature could not be verified for NDP45-KB3135996.msp
No FileHash provided. Cannot perform FileHash verification for NDP45-KB3135996.msp
File NDP45-KB3135996.msp (C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp), failed authentication(Error = -2146762486). It is recommended that you delete this file and retry setup again.
Failed to verify and authenticate the file -C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp
Please delete the file, C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp and run the package again

According to the CAPI2 event messages inside the log:


                                                                                 <URL scheme="http">https://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt</URL>

                                                                                 <Object type="CONTEXT_OID_CERTIFICATE" constant="1"/>


                                                                                 <Flags value="286005" CRYPT_RETRIEVE_MULTIPLE_OBJECTS="true" CRYPT_WIRE_ONLY_RETRIEVAL="true" CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL="true" CRYPT_OFFLINE_CHECK_RETRIEVAL="true" CRYPT_AIA_RETRIEVAL="true" CRYPT_PROXY_CACHE_RETRIEVAL="true"/>


                                                                                                      <Action name="NetworkRetrievalTimeout">

                                                                                                                          <Error value="5B4">This operation returned because the timeout period expired. </Error>



                                                                                 <EventAuxInfo ProcessName="Setup.exe"/>

                                                                                 <CorrelationAuxInfo TaskId="{98B7F5D9-09DF-4158-8662-72272FA6171C}" SeqNumber="9"/>

                                                                                 <Result value="5B4">This operation returned because the timeout period expired.</Result>


This issue occurs when this certificate MicRooCerAut2011_2011_03_22.cer is missing particularly when you operate in an environment that's disconnected from the Internet or that has a firewall that blocks content from the following URL: https://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en This behavior is due to recent changes to Microsoft Windows Enforcement of Authenticode Code Signing and Timestamping.

In order to resolve this issue, please try the below steps:

· Download the certificate https://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt  locally (Example: C:\Temp)
· You can use the certmgr.exe utility to add the certificate by using command line. For more information, see the Certmgr.exe (Certificate Manager Tool) topic at MSDN.
· Open an admin command prompt and run this command: certmgr.exe /add C:\Temp\MicRooCerAut2011_2011_03_22.cer /s /r localMachine root
· Next try installing the patch KB3135996 or KB3136000

Alternatively, you can download and install KB2813430 and then manage certificates individually: https://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en 

For more information, see the Configure trusted roots and disallowed certificates & Install a Root Certification Authority on offline machines topics at TechNet.