0X80096004

Fix TRUST_E_CERT_SIGNATURE (0x80096004) in 2 Minutes

Cybersecurity & Malware Beginner 👁 1 views 📅 May 26, 2026

That cert signature error usually means a corrupted or expired root certificate. Here's how to fix it without reinstalling Windows.

Quick Answer

Run certutil -generateSSTFromWU C:\temp\roots.sst from an admin command prompt, then import the file into Trusted Root Certification Authorities. That updates your root certs and kills the error.

Why You're Seeing This

This error pops up when Windows can't verify a certificate's signature. Usually happens because a root certificate expired or got corrupted. I've seen it most often on older Windows 10 builds—version 1809 was a pain—or after a failed Windows Update. Had a client whose entire print queue died because of this; their HP printer driver signed with an expired cert.

The real trigger: something changed your local certificate store. Could be a bad software install, a malware cleaner nuking the wrong certs, or just time. Root certs expire, and Windows doesn't always auto-renew them fast enough.

Fix Steps

  1. Run certutil as admin. Open Command Prompt as Administrator (right-click Start > Command Prompt (Admin) or Windows Terminal Admin). Paste this: 
    certutil -generateSSTFromWU C:\temp\roots.sst
    This downloads the latest root certificates from Microsoft's Windows Update server into a file.
    Note: If it fails, your system clock might be off. Check that first.
  2. Import the file. Open the Certificate Manager: press Win+R, type certmgr.msc, hit Enter. Expand Trusted Root Certification Authorities, right-click Certificates, choose All Tasks > Import. Browse to C:\temp\roots.sst, click Next, place it in Trusted Root CA, finish.
  3. Reboot—don't skip this. Windows needs to reload the store.
  4. Test the thing that was failing. If it's a website, hit F5. If it's software, relaunch it.

If That Doesn't Work

Alternative 1: Manually update via Microsoft Update Catalog

Go to Microsoft Update Catalog, search "root update". Download the latest KB for your OS (like KB931125 for Windows 10/11). Install it, reboot. This is the nuclear option but rarely needed.

Alternative 2: Check your system time

If the clock's off by more than a few minutes, certificates fail verification. Right-click the clock > Adjust date/time. Toggle "Set time automatically" off, then on again. Sync manually if needed. Restart.

Alternative 3: Reinstall the problematic software

Uninstall whatever's throwing the error. Reinstall it fresh—sometimes the installer's cert was bad, and a new download fixes it. I had a case with a VPN client where this was the only cure.

Prevention

Set Windows Update to automatic. Seriously. Most root cert updates come through patches. Also, never run those "certificate cleaner" tools you find on sketchy forums—they wreck your store. If you're paranoid, run certutil -store -silent once a month to spot expired certs before they bite you.

Was this solution helpful?

TRUST_E_CERT_SIGNATURE 0x80096004 certificate error fix Windows certificate corrupted root certificate expired update root certificates certutil fix Windows update certificate error code signing error trust error fix 0x80096004 Windows 10 0x80096004 Windows 11