Why do all engines fail to update on a Windows server, and I see SSL handshake failed error?
Problem
All engines failed to update, and you see the errors and warnings in the Core log indicating that MD Core couldn’t download the metadescriptor file due to an SSL handshake failure. The error message states: 'The issuer certificate of a locally looked up certificate could not be found'
Example log entries:

Possible root cause
OPSWAT uses Amazon-issued certificates for both the Update server and the Activation server. If Amazon root certificates are not present in the server’s Trusted Root Certificate Store, or have been removed, SSL handshakes will fail and prevent updates from downloading.
Solution
Download and install the missing certificates
- Open a browser and go to
update.dl.opswat.com/404
. (You should see an “Access Denied” message - that’s expected) - Click on the padlock icon in the browser’s address bar > Click “Show certificate”
- In the certificate viewer windows, go to the “Details” tab
- Select the root certificate > click “Export” to download it

- Repeat the step #4 for the intermediate certificate and the server certificate
- Install all three certificates into the Trusted Root Certificate Store
Restart the server for the changes to take effect.
OPSWAT uses CDN (AWS Cloudfront) for both update and activation services to accelerate delivery globally.
Depending on your location, requests may be routed to different AWS CloudFront edge locations, each possibly using a different Amazon root certificate.
If Further Assistance is required, please proceed to log a support case or chatting with our support engineer.