automatically updates the local store with the necessary CAs. 2. Manual Certificate Installation
If the server must remain offline or Windows Update is not an option, you must manually import the missing certificates into the Windows Certificate Store.
A: Only if you use a fresh, updated Windows installation media. If you reinstall using the same outdated ISO from 2018, the root certificates will still be missing. automatically updates the local store with the necessary CAs
⚠️ Security risk – disables certificate validation for the installer.
Ensure time/date is within ±1 hour of actual UTC. A: Only if you use a fresh, updated
Last updated: October 2025. This guide applies to KEPServerEX versions 6.9 through 6.13. Always consult the official PTC Kepware documentation for version-specific notes.
If you are installing Kepware on an older OS (like Windows 7 or Windows Server 2008) that is no longer supported by Microsoft, the Trusted Root Store may be hopelessly outdated. Kepware updates its signing certificates periodically to meet current security standards, and old OS versions may not inherently trust the newer certificate authorities (CAs) used by PTC. Ensure time/date is within ±1 hour of actual UTC
Even if your machine has internet access, strict corporate firewalls may block the ports and URLs required for Windows to validate certificates. The machine thinks it is online, but the validation traffic is silently dropped.
By following the structured approach outlined in this guide—pre-check, manual import, offline updates, and OS patching—you will have KEPServerEX installed and communicating with your PLCs, RTUs, and IoT devices in no time.
Obtain the .cer or .crt file from a trusted source or the official Microsoft Update Catalog on a machine with internet access. Open the MMC Console: Press Win + R , type mmc , and hit Enter. Go to File > Add/Remove Snap-in .
