Troubleshooting CodeTwo certificate validation problems
You are unable to use or access key features of your CodeTwo product or even start the program itself. You receive one of the following messages:
Failed to verify application certificates on this machine.
The library is signed with an invalid certificate.
The program cannot access the CodeTwo licensing service or the program's SSL certificate cannot be verified.
The most probable cause of the problem is that your program is not up to date. The problem may also occur either because your machine cannot access the CodeTwo licensing service or because the program's SSL certificate cannot be verified. You may as well encounter this problem when changing an Internet Service Provider, as your DNS settings might still point out to the previous ISP's IP addresses. Use the links below to find solutions to all these problems:
- Update your CodeTwo product
- Allow access to the CodeTwo licensing service
- Enable the CodeTwo SSL certificate verification
- Change the DNS settings for your network adapter
- Manually install the intermediate certificate in a correct store
You also might try applying the solutions provided in this Knowledge Base article.
Using an outdated version of a program may be the primary cause of the problem. To check if your CodeTwo product is up to date, click the Check for updates link on the Dashboard, as shown in Fig. 1.
Once you complete the update, there shouldn’t be any problems with certificate validation, and your CodeTwo software should work as expected. If the software is up to date but you still encounter certificate-related issues, proceed with the next step.
Check the internet connection on the machine where your CodeTwo software is installed. If you're using both local and network-wide security systems like firewalls, proxies or other protection software, make sure to unlock access to the CodeTwo licensing service at the following URL:
Additionally, to be able to receive the CodeTwo SSL certificate, you also need to unlock access to the following endpoints (depending on the CodeTwo software you use):
CodeTwo Office 365 Migration & CodeTwo Exchange Migration
crl3.digicert.com crl4.digicert.com ocsp.digicert.com cacerts.digicert.com
Be use to unlock these endpoints over ports 80 (HTTP) and 443 (HTTPS).
Once the connection to the licensing service has been established, your CodeTwo software should work without any problems.
This problem applies to Windows 7 or Windows Server 2008 R2 only.
The expired Microsoft Certificate Trust List Publisher certificate is causing CAPI2 error 4107 that makes it impossible to verify any certificate. To fix this, you need to remove the expired certificate from the cache by following the steps below:
If you're using CodeTwo Backup, you first need to stop CodeTwo Backup Service before proceeding. To do so:
- Close the program, go to Control Panel > Administrative Tools > Services, and find CodeTwo Backup Service on the list of services (Fig. 2.).
- Right-click it and select Stop.
Once you've completed all the steps below, restart the service by right-clicking it in the Services window and selecting Start.
- Sign in to your Windows system as the local admin that uses CodeTwo software.
- Open Windows Command Prompt (Start > All Programs > Accessories > Command Prompt).
- Type the following command:
certutil -urlcache * deleteand press Enter.
- Go to the Windows directory (it’s usually located in C:\Windows but you can quickly find it by opening the Run dialog box and typing %windir%).
- Delete the contents of the following directories:
%windir%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content %windir%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData %windir%\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content %windir%\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData %windir%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content %windir%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
If you don't see these folders, you need to enable hidden folders first. To do so, go to Control Panel > Appearance and Personalization > Folder Options and, on the View tab, select the Show hidden files and folders checkbox and clear the Hide protected operating system files checkbox. Click OK to apply.
You should now be able to use your CodeTwo product without any problems.
Incorrect DNS settings may also prevent CodeTwo software from connecting to the licensing service. If, for example, you have recently changed your ISP, you should also update DNS records in case they are pointing to the old IP addresses. Contact your network administrator for the correct IP addresses or try using the IP addresses of third-party DNS providers like Google Public DNS or OpenDNS. To update DNS records:
- Go to Control Panel > Network and Sharing Center > Change adapter settings.
- Right-click your network adapter and select Properties.
- Select Internet Protocol Version 4 (TCP/IPv4) and once again click Properties.
- Select the Use the following DNS server addresses and either enter the IP addresses of your ISP or, for example:
- Google DNS:
- Google DNS:
- Click OK to save changes.
Once done, restart your computer. After doing so, your CodeTwo software should have no problems with obtaining the licensing information.
CodeTwo's SSL certificate cannot be validated if the GoDaddy/DigiCert intermediate certificate is missing from a certificate store on your machine. Normally, the required intermediate certificate is installed automatically with CodeTwo backup or migration software. However, in some rare scenarios, it might be required to install it manually. Follow the steps below to install right intermediate certificate in the correct store.
Different store location is used for CodeTwo migration software and different for CodeTwo Backup, as shown in step 5 below.
- Go to your CodeTwo program's installation folder. The default installation paths are:
CodeTwo Office 365 Migration
C:\Program Files (x86)\CodeTwo\Office 365 MigrationCodeTwo Exchange Migration
C:\Program Files (x86)\CodeTwo\Exchange MigrationCodeTwo Backup
C:\Program Files\CodeTwo\CodeTwo Backup\
- Find the C2.Licensing.PublicClient.dll file, right-click it and select Properties (Fig. 3.).
- Go to the Digital Signatures tab, double-click CodeTwo Sp. z o.o. Sp. k. on the list, and then click View Certificate in the window that opens, as shown in Fig. 4.
- Go to the Certification Path tab, double-click:
- DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 (CodeTwo Backup, as shown in Fig. 5.)
- Go Daddy Secure Certificate Authority - G2 (CodeTwo Office 365 Migration or CodeTwo Exchange Migration),
and then click Install Certificate.
- In the Certificate Import Wizard, select:
- Current User if you're using CodeTwo Office 365 Migration or CodeTwo Exchange Migration (Fig. 6., item A),
- Local Machine if you're using CodeTwo Backup (Fig. 6., item B).
Don't make a mistake here. If you select a wrong location, you won't be able follow the same steps to install the certificate to a different store until you delete the certificate manually from the store.
- In the next step, choose Automatically select the certificate store based on the type of certificate, then click Next and Finish to install the certificate.
Once you are notified that the certificate was imported successfully, you should be able to use your CodeTwo product without any problems.
If this solution didn't work, go back to step 4 and install theroot certificate (DigiCert Trusted Root G4 or Go Daddy Root Certificate Authority - G2) the same way.