Troubleshooting CodeTwo certificate validation problems

Problem:

You are unable to use or access key features of your CodeTwo product, or even start the program itself. You receive one of the following messages:

Failed to verify application certificates on this machine.

or

The library is signed with an invalid certificate.

or

The program cannot access the CodeTwo licensing service or the program's SSL certificate cannot be verified.

Solution:

The most probable cause of the problem is that your program is not up to date. The problem may also occur either because your machine cannot access the CodeTwo licensing service or because the program's SSL certificate cannot be verified. You may as well encounter this problem when changing an Internet Service Provider, as your DNS settings might still point out to the previous ISP's IP addresses. Use the links below to find solutions to all these problems:

• Update your CodeTwo product
• Allow access to the CodeTwo licensing service
• Enable the CodeTwo SSL certificate verification 
• Change the DNS settings for your network adapter
• Manually install the intermediate certificate in a correct store

Updating your CodeTwo product

Using an outdated version of a program may be the primary cause of the problem. To check if your CodeTwo product is up to date, follow the steps below:

• In CodeTwo Backup, CodeTwo Office 365 Migration, or CodeTwo Exchange Migration, click the Check for updates link on the Dashboard, as shown in Fig. 1.

Fig. 1. The Check for updates link in CodeTwo Office 365 Migration.

• In CodeTwo Email Signatures On-prem, click Help > Check for updates, as shown in Fig. 2.

Fig. 2. The Check for updates option in CodeTwo Email Signatures On-prem.

If the program version is not up to date, you will be provided with a link to download the latest version of your product. Use the links below to learn more about updating:

• CodeTwo Exchange Migration
• CodeTwo Office 365 Migration
• CodeTwo Backup

Once you complete the update, there shouldn’t be any problems with certificate validation, and your CodeTwo software should work as expected. However, if the software is up to date but you still encounter certificate-related issues, proceed with the next step(s).

Allowing access to the CodeTwo licensing service

Check the internet connection on the machine where your CodeTwo software is installed. If you're using both local and network-wide security systems like firewalls, proxies, or other protection software, make sure to unlock access to the CodeTwo licensing service at the following URL:

https://licensing2.codetwo.com/public

Additionally, to be able to receive the CodeTwo SSL certificate, you also need to unlock access to the following endpoints (depending on the CodeTwo software you use):

CodeTwo Office 365 Migration & CodeTwo Exchange Migration

ocsp.godaddy.com
crl.godaddy.com

CodeTwo Backup & CodeTwo Email Signatures On-prem

crl3.digicert.com
crl4.digicert.com
ocsp.digicert.com
cacerts.digicert.com

Be sure to unlock these endpoints over ports 80 (HTTP) and 443 (HTTPS).

Once the connection to the licensing service has been established, your CodeTwo software should work without any problems.

Enabling the CodeTwo SSL certificate verification

The expired Microsoft Certificate Trust List Publisher certificate is causing CAPI2 error 4107 that makes it impossible to verify any certificate. To fix this, you need to remove the expired certificate from the cache by following the steps below: 

1. Sign in to your Windows system as the local admin that uses CodeTwo software.
2. Open Windows Command Prompt (Start > All Programs > Accessories > Command Prompt).
3. Type the following command:

   certutil -urlcache * delete

   and press Enter.
4. Go to the Windows directory (it’s usually located in C:\Windows but you can quickly find it by opening the Run dialog box and typing %windir%).
5. Delete the contents of the following directories:

   %windir%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
   %windir%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
   %windir%\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
   %windir%\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
   %windir%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
   %windir%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData

   Important

   If you don't see these folders, you need to enable hidden folders first. To do so, go to Control Panel > Appearance and Personalization > Folder Options/File Explorer Options and, on the View tab, select the Show hidden files and folders or Show hidden files, folders, and drives checkbox and clear the Hide protected operating system files checkbox. Click OK to apply.

If you’re using CodeTwo Backup or CodeTwo Email Signatures On-prem, remember to restart the relevant service in the Services window (see Fig. 3. and Fig. 4. above). 

You should now be able to use your CodeTwo product without any problems. 

Changing the DNS settings for your network adapter 

Incorrect DNS settings may also prevent CodeTwo software from connecting to the licensing service. If, for example, you have recently changed your ISP, you should also update DNS records in case they are pointing to the old IP addresses. For this purpose, contact your network administrator for the correct IP addresses or try using the IP addresses of third-party DNS providers like Google Public DNS or OpenDNS. To update DNS records:

1. Go to Control Panel > (Network and Internet) > Network and Sharing Center > Change adapter settings.
2. Right-click your network adapter and select Properties.
3. Select Internet Protocol Version 4 (TCP/IPv4) and once again click Properties.
4. Select the Use the following DNS server addresses option and either enter the IP addresses of your ISP or, for example:
   • Google DNS:
     primary: 8.8.8.8
     secondary: 8.8.4.4
   • OpenDNS:
     primary: 208.67.222.222
     secondary: 208.67.220.220
5. Click OK to save changes.

Once done, restart your computer. After doing so, your CodeTwo software should have no problems with obtaining the licensing information.

Manually installing the intermediate certificate in the correct store

CodeTwo's SSL certificate cannot be validated if the GoDaddy/DigiCert intermediate certificate is missing from a certificate store on your machine. Usually, the required intermediate certificate is installed automatically with CodeTwo backup or migration software. However, in some rare scenarios, it might be required to install it manually. Follow the steps below to install the right intermediate certificate in the correct store.

1. Go to your CodeTwo program's installation folder. The default installation paths are:
   CodeTwo Office 365 Migration 

   C:\Program Files (x86)\CodeTwo\Office 365 Migration

   CodeTwo Exchange Migration 

   C:\Program Files (x86)\CodeTwo\Exchange Migration

   CodeTwo Backup

   C:\Program Files\CodeTwo\CodeTwo Backup

   CodeTwo Email Signatures On-prem 

   C:\Program Files\CodeTwo\CodeTwo Email Signatures On-prem

2. Find the C2.Licensing.PublicClient.dll file, right-click it and select Properties (Fig. 5.).

Fig. 5. Showing the properties of the C2.Licensing.PublicClient.dll file.

3. Go to the Digital Signatures tab, double-click CodeTwo Sp. z o.o. Sp. k. on the list, and then click View Certificate in the window that opens, as shown in Fig. 6.

Fig. 6. Accessing the CodeTwo certificate.

4. Go to the Certification Path tab, double-click:
   • DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 (CodeTwo Backup or CodeTwo Email Signatures On-prem, as shown in Fig. 7.)
   • Go Daddy Secure Certificate Authority - G2 (CodeTwo Office 365 Migration or CodeTwo Exchange Migration),
   and then click Install Certificate.

Fig. 7. Installing the intermediate certificate.

5. In the Certificate Import Wizard, select:
   • Current User if you're using CodeTwo Office 365 Migration or CodeTwo Exchange Migration (Fig. 8., item A),
   • Local Machine if you're using CodeTwo Backup (Fig. 8., item B).

   Warning

   Don't make a mistake here. If you select a wrong location, you won't be able follow the same steps to install the certificate in a different store until you delete the certificate manually from the store. 

Fig. 8. Selecting the right certificate store for your CodeTwo product.

6. In the next step, choose Automatically select the certificate store based on the type of certificate, then click Next and Finish to install the certificate. 

Once you are notified that the certificate was imported successfully, you should be able to use your CodeTwo product without any problems.

If this solution didn't work, go back to step 4 and install the root certificate (DigiCert Trusted Root G4 or Go Daddy Root Certificate Authority - G2) in the same way.