This issue may occur due to missing digital certificates on the system where the error appears.
Microsoft Windows implements a mechanism that automatically downloads, over the internet, trusted root certificate authorities, which are not installed locally. On disconnected systems, or systems with restricted internet access, Windows may not be able to download these certificates.
COPA-DATA digitally signs all binary executables it delivers with its products, using Microsoft Authenticode. For this process a code signing certificate issued to "Ing. Punzenberger COPA-DATA GmbH" is used with a countersignature from a timestamping server.
Either from the certificate chain of the code signing certificate or from the certificate chain of the timestamping server, one or more certificates may not be available locally, to verify the digital signature.
In the Windows Event Log, for the event source "CAPI2" the event ID "4101" may be logged: "Failed auto update retrieval of third-party root certificate from: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/**". The log entry contains the thumbprint of the missing certificate.
Manually installing the missing certificate(s) on the system where the issue appears, should resolve the issue.
- On a Windows system with internet connectivity and all current Windows Updates installed, launch in a command prompt: "certutil -generateSSTFromWU c:\temp\rootstore.sst"
certutil now downloads from Windows Update the trusted root CA certificates into a serialized certificate store file. From this file (it opens on double click), the missing CA Root certificates can be installed on the target machine where the issue occurs.
Specifically the certificate "VeriSign Universal Root Certification Authority" with the thumbprint "3679ca35668772304d30a5fb873b0fa77bb70d54" may be missing. The .sst file may be used in domain joined environments to distribute the certificates through a GPO.
- Alternatively, call "certutil -syncwithwu c:\temp" to download the single files, which contains the "3679ca35668772304d30a5fb873b0fa77bb70d54.crt" that can be imported manually.
Downloading the single files, also includes "authrootstl.cab" containing the "authroot.stl" which can also be installed using certutil (using certutil -addstore -f root authroot.stl).
It is also possible for systems without an internet connection, to be configured to redirect to a local directory or network share, to verify missing certificates instead of attempting to download over the internet.
More information can be found
here.
In addition to adding missing trusted root CA certificates, it is recommended to keep also the revoked root CA certificates up to date.
It can also be that the issue is caused by another component used by the zenon Software Platform product(s).
Known affected Microsoft components:
VC ++ Runtime
.NET Framework 4.6.2
When trying to install these components the Typical Error message looks like this "A certificate chain could not be built to a trusted root authority."
Solution:
First Step (without Internet Connection):
Install the missing certificate MicRooCerAut2011_2011_03_22.crt
Second Step:
Install the following certificate in order:
Trusted Root Certification Authorities: Verisign G3.cer + Verisign G5.cer
Intermediate certification authorities: Symantech.cer
Trusted publisher: IngPunzenberger.cer
For more details about the certificates please get in contact with your local Support.