A certificate chain could not be built to a trusted root authority
Security Update for Microsoft .NET Framework 4.X (KB3135996 or KB3136000) may fail with the below error message: Installation failed with error code: (0x800B010A), "A certificate chain could not be built to a trusted root authority."
As per the install log:
C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp Signature could not be verified for NDP45-KB3135996.msp
No FileHash provided. Cannot perform FileHash verification for NDP45-KB3135996.msp
File NDP45-KB3135996.msp (C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp), failed authentication(Error = -2146762486). It is recommended that you delete this file and retry setup again.
Failed to verify and authenticate the file -C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp
Please delete the file, C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp and run the package again
According to the CAPI2 event messages inside the log:
<CryptRetrieveObjectByUrlWire>
<URL scheme="http">https://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt</URL>
<Object type="CONTEXT_OID_CERTIFICATE" constant="1"/>
<Timeout>PT15S</Timeout>
<Flags value="286005" CRYPT_RETRIEVE_MULTIPLE_OBJECTS="true" CRYPT_WIRE_ONLY_RETRIEVAL="true" CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL="true" CRYPT_OFFLINE_CHECK_RETRIEVAL="true" CRYPT_AIA_RETRIEVAL="true" CRYPT_PROXY_CACHE_RETRIEVAL="true"/>
<AdditionalInfo>
<Action name="NetworkRetrievalTimeout">
<Error value="5B4">This operation returned because the timeout period expired. </Error>
</Action>
</AdditionalInfo>
<EventAuxInfo ProcessName="Setup.exe"/>
<CorrelationAuxInfo TaskId="{98B7F5D9-09DF-4158-8662-72272FA6171C}" SeqNumber="9"/>
<Result value="5B4">This operation returned because the timeout period expired.</Result>
</CryptRetrieveObjectByUrlWire>
This issue occurs when this certificate MicRooCerAut2011_2011_03_22.cer is missing particularly when you operate in an environment that's disconnected from the Internet or that has a firewall that blocks content from the following URL: https://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en This behavior is due to recent changes to Microsoft Windows Enforcement of Authenticode Code Signing and Timestamping.
In order to resolve this issue, please try the below steps:
· Download the certificate https://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt locally (Example: C:\Temp)
· You can use the certmgr.exe utility to add the certificate by using command line. For more information, see the Certmgr.exe (Certificate Manager Tool) topic at MSDN.
· Open an admin command prompt and run this command: certmgr.exe /add C:\Temp\MicRooCerAut2011_2011_03_22.cer /s /r localMachine root
· Next try installing the patch KB3135996 or KB3136000
Alternatively, you can download and install KB2813430 and then manage certificates individually: https://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
For more information, see the Configure trusted roots and disallowed certificates & Install a Root Certification Authority on offline machines topics at TechNet.
Comments
- Anonymous
April 20, 2016
The comment has been removed- Anonymous
August 11, 2016
You made my day!!
- Anonymous
- Anonymous
April 25, 2016
Worked perfectly. - Anonymous
July 06, 2016
Thank you. The command above should read with a .crt instead of a .cer. "certmgr.exe /add C:\Temp\MicRooCerAut2011_2011_03_22.crt /s /r localMachine root" - Anonymous
August 09, 2016
Works like a charm! Thank you! - Anonymous
August 23, 2016
You can also extract the .exe and run the .msp.[patch.exe] /s /x /b '[export path]' /v '' /qn ''Then run the [export path].msp. - Anonymous
October 31, 2016
it works. Thannks!@ - Anonymous
December 17, 2016
Thank you for the solution is working perfectly. - Anonymous
March 07, 2017
You have the extension wrong for the cert file!!! - Anonymous
March 20, 2017
It was great to get here and at last it worked perfectly