Index: src/org/openstreetmap/josm/tools/PlatformHookWindows.java
===================================================================
--- src/org/openstreetmap/josm/tools/PlatformHookWindows.java	(revision 14430)
+++ src/org/openstreetmap/josm/tools/PlatformHookWindows.java	(working copy)
@@ -467,15 +467,22 @@
     @Override
     public X509Certificate getX509Certificate(NativeCertAmend certAmend)
             throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
-        // Make a web request to target site to force Windows to update if needed its trust root store from its certificate trust list
-        // A better, but a lot more complex method might be to get certificate list from Windows Registry with PowerShell
-        // using (Get-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate').EncodedCtl)
-        // then decode it using CertUtil -dump or calling CertCreateCTLContext API using JNI, and finally find and decode the certificate
-        Logging.trace(webRequest(certAmend.getWebSite()));
         // Get Windows Trust Root Store
         KeyStore ks = getRootKeystore();
+        Certificate result;
         // Search by alias (fast)
-        Certificate result = ks.getCertificate(certAmend.getWinAlias());
+        try {
+            result = ks.getCertificate(certAmend.getWinAlias());
+        } catch (Exception e) {
+            // Make a web request to target site to force Windows to update if needed its trust root store from its certificate trust list
+            // A better, but a lot more complex method might be to get certificate list from Windows Registry with PowerShell
+            // using (Get-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate').EncodedCtl)
+            // then decode it using CertUtil -dump or calling CertCreateCTLContext API using JNI, and finally find and decode the certificate
+            Logging.trace(webRequest(certAmend.getWebSite()));
+            // Search again by alias (fast)
+            result = ks.getCertificate(certAmend.getWinAlias());
+        }
+
         if (result instanceof X509Certificate) {
             return (X509Certificate) result;
         }
@@ -749,16 +756,17 @@
      */
     public static int getPowerShellVersion() {
         try {
-            return Integer.parseInt(Utils.execOutput(Arrays.asList(
-                    "powershell", "-Command", "$PSVersionTable.PSVersion.Major"), 2, TimeUnit.SECONDS));
-        } catch (ExecutionException e) {
-            // PowerShell 2.0 (included in Windows 7) does not even support this
-            Logging.debug(e);
-            return -1;
-        } catch (NumberFormatException | IOException | InterruptedException e) {
+            String version = WinRegistry.readString(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Powershell\\3\\PowershellEngine", "PowershellVersion");
+            if (version != null) {
+                Matcher m = Pattern.compile("(\\d+)\\.(\\d+)(\\.\\d+.*)?").matcher(version);
+                if (m.matches()) {
+                    return Integer.parseInt(m.group(1));
+                }
+            }
+        } catch (IllegalAccessException | InvocationTargetException | NumberFormatException e) {
             Logging.error(e);
-            return -1;
         }
+        return -1;
     }
 
     /**
@@ -769,7 +777,7 @@
      * @throws IOException if any I/O error occurs
      * @since 13458
      */
-    public static String webRequest(String uri) throws IOException {
+    public String webRequest(String uri) throws IOException {
         // With PS 6.0 (not yet released in Windows) we could simply use:
         // Invoke-WebRequest -SSlProtocol Tsl12 $uri
         // .NET framework < 4.5 does not support TLS 1.2 (https://stackoverflow.com/a/43240673/2257172)