When you open a PowerPoint file signed with an internal certificate, you may see an error saying PowerPoint cannot establish trust with the certificate. This happens because the certificate authority that issued the internal certificate is not listed in the Trusted Root Certification Authorities store on your computer. This article explains why the error occurs and provides the exact steps to install the missing root certificate so PowerPoint can verify the digital signature.
The error typically appears in the Message Bar with a yellow warning and the text: “This presentation contains a digital signature that cannot be verified.” If you click the File tab and inspect the signature details, you will see the specific message: “Cannot establish trust with the certificate.” The root cause is that your computer does not trust the issuing certificate authority, not that the file is corrupted or malicious.
You will learn how to export the root certificate from a trusted source, import it into the Windows certificate store, and verify that PowerPoint can now validate the signature. The fix applies to PowerPoint 2019, 2021, and Microsoft 365 on Windows 10 and Windows 11.
Key Takeaways: Fixing the PowerPoint Internal Certificate Trust Error
- Import the root certificate into Trusted Root Certification Authorities: This tells Windows to trust any certificate issued by that internal certificate authority.
- Use the Certificates snap-in (certlm.msc) to manage machine-level stores: The root certificate must be added to the local machine store, not the current user store, for all users to benefit.
- Verify the signature in PowerPoint after the import: Open the signed file, click File > Info > View Signatures, and confirm the status changes to “This digital signature is OK.”
Why PowerPoint Cannot Establish Trust With an Internal Certificate
Digital signatures in PowerPoint rely on a chain of trust. The certificate used to sign the file must chain back to a root certificate that is stored in the Trusted Root Certification Authorities store on your computer. Internal certificates are issued by an organization’s own certificate authority, such as Active Directory Certificate Services or an internal PKI. When the root certificate of that internal CA is not present in Windows’ trusted root store, PowerPoint cannot validate the chain and displays the trust error.
The error does not mean the file is unsafe. It means the signing certificate cannot be traced to a trusted root. In many organizations, the root certificate is distributed via Group Policy or manually installed. If you are on a machine that missed that deployment, or if you received the signed file from a partner organization, the root certificate will be missing.
Where the Root Certificate Must Be Installed
Windows maintains two primary certificate stores: the Current User store and the Local Machine store. For PowerPoint to trust the signature for all users on the computer, the root certificate must be placed in the Trusted Root Certification Authorities store under the Local Machine account. Installing it only in the Current User store will fix the error only for that user account.
Steps to Install the Missing Internal Root Certificate
You need two things: the root certificate file (usually a .cer or .crt file) and administrative access to the computer. If you do not have the root certificate file, obtain it from your IT department or export it from a computer that already trusts the internal CA.
Method 1: Import the Root Certificate Using the Certificates Snap-In
- Open the Certificates snap-in for the local machine
Press Windows + R, typecertlm.msc, and press Enter. Click Yes if the User Account Control prompt appears. - Navigate to the Trusted Root Certification Authorities folder
In the left pane, expand Trusted Root Certification Authorities, then select the Certificates subfolder. - Start the import wizard
Right-click the Certificates folder, choose All Tasks, then click Import. The Certificate Import Wizard opens. - Browse to the root certificate file
Click Next, then click Browse. Locate the .cer or .crt file you received from your IT department. Select it and click Open, then click Next. - Confirm the store location
Ensure Place all certificates in the following store is selected and the store shown is Trusted Root Certification Authorities. Click Next. - Complete the import
Click Finish. A dialog confirms the import was successful. Click OK.
Method 2: Import the Root Certificate Using PowerShell
If you prefer a command-line approach, use PowerShell with administrative privileges.
- Open PowerShell as administrator
Right-click the Start button and select Windows PowerShell (Admin) or Terminal (Admin). - Run the import command
Type the following command and press Enter. ReplaceC:\Path\To\Certificate.cerwith the actual file path:Import-Certificate -FilePath "C:\Path\To\Certificate.cer" -CertStoreLocation Cert:\LocalMachine\Root - Confirm the import
The output shows the thumbprint and the store location. If you see no errors, the certificate is installed.
If PowerPoint Still Shows the Trust Error After Importing the Root Certificate
PowerPoint still says the signature cannot be verified
The certificate may have expired, or the file may have been modified after signing. Check the signature details by clicking File > Info > View Signatures. Right-click the signature and choose Signature Details. Look at the Validity field. If it says Expired, ask the signer to renew the certificate and re-sign the file.
The root certificate was imported but PowerPoint still shows the error for a specific file
The file might contain a timestamp that references a root certificate that is still missing. Open the file on a computer that trusts the certificate and re-save it. This embeds a new timestamp that links to the trusted root you just installed.
You cannot import the certificate because the file is blocked
If the .cer file was downloaded from the internet, Windows may have blocked it. Right-click the file in File Explorer, choose Properties, and on the General tab, check the Unblock box if present. Click Apply and OK, then repeat the import steps.
Internal Certificate Trust Error: Before and After Fix
| Item | Before Fix | After Fix |
|---|---|---|
| Message Bar text | This presentation contains a digital signature that cannot be verified | No message bar warning |
| Signature status in File > Info | Cannot establish trust with the certificate | This digital signature is OK |
| Root certificate location | Missing from Trusted Root Certification Authorities | Present in Local Machine\Trusted Root Certification Authorities |
| User action required | Cannot open or edit the file without dismissing the warning | File opens with full trust; signature is valid |
After completing the steps above, close and reopen the PowerPoint file. The yellow Message Bar should no longer appear. To verify, click File > Info > View Signatures. The status should now read This digital signature is OK. If you manage multiple computers, consider deploying the root certificate via Group Policy to prevent the issue on other machines.