Root Certificate Error

Problem

The patch deployment fails due to an untrusted root certificate issue. You can see the error message: A certificate chain processed, but terminated in a root certificate.

Cause

An untrusted root certificate issue occurs when the certificate used to sign a patch is not recognized as trustworthy by the system attempting to install it. This can prevent the patch from being deployed successfully.

Resolution

• To address this issue, avoid distributing the root CA certificate using GPO, as it might target the registry location (such as HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates) to deliver the root CA certificate to the client.
• Storing the root CA certificate in a different, physical root CA certificate store should resolve the problem.
• As an alternative, you can use the certutil command-line tool to add the CA certificate stored in the rootca.cer file,

certutil -addstore root c:\tmp\rootca.cer

For alternative resolution methods, please refer to this document.

If the issue persists even after following the above-mentioned resolutions, please feel free to contact support.