Knowledge Base

Troubleshooting CodeTwo certificate validation problems

Problem:

You are unable to use or access key features of your CodeTwo product or even start the program itself. You receive one of the following messages:

Failed to verify application certificates on this machine.

or

The library is signed with an invalid certificate.

or

The program cannot access the CodeTwo licensing service or the program's SSL certificate cannot be verified.

Solution:

The most probable cause of the problem is that your program is not up to date. The problem may also occur either because your machine cannot access the CodeTwo licensing service or because the program's SSL certificate cannot be verified. You may as well encounter this problem when changing an Internet Service Provider, as your DNS settings might still point out to the previous ISP's IP addresses. Use the links below to find solutions to all these problems:

Important

You also might try applying the solutions provided in this Knowledge Base article.

Updating your CodeTwo product

Using an outdated version of a program may be the primary cause of the problem. To check if your CodeTwo product is up to date, click the Check for updates link on the Dashboard, as shown in Fig. 1.

The Check for updates link in CodeTwo Office 365 Migration.
Fig. 1. The Check for updates link in CodeTwo Office 365 Migration.

If it’s not up to date, you will be provided with a link to download the latest version of your product. Use the links below to learn more about updating:

Once you complete the update, there shouldn’t be any problems with certificate validation, and your CodeTwo software should work as expected. If the software is up to date but you still encounter certificate-related issues, proceed with the next step.

Allowing access to the CodeTwo licensing service

Check the internet connection on the machine where your CodeTwo software is installed. If you're using both local and network-wide security systems like firewalls, proxies or other protection software, make sure to unlock access to the CodeTwo licensing service at the following URL:

https://licensing2.codetwo.com/public

Additionally, to be able to receive the CodeTwo SSL certificate, you also need to unlock access to the following endpoints (depending on the CodeTwo software you use):

CodeTwo Office 365 Migration & CodeTwo Exchange Migration

ocsp.godaddy.com
crl.godaddy.com

CodeTwo Backup

crl3.digicert.com
crl4.digicert.com
ocsp.digicert.com
cacerts.digicert.com

Be use to unlock these endpoints over ports 80 (HTTP) and 443 (HTTPS).

Once the connection to the licensing service has been established, your CodeTwo software should work without any problems.

Enabling the CodeTwo SSL certificate verification

Important

This problem applies to Windows 7 or Windows Server 2008 R2 only.

The expired Microsoft Certificate Trust List Publisher certificate is causing CAPI2 error 4107 that makes it impossible to verify any certificate. To fix this, you need to remove the expired certificate from the cache by following the steps below: 

Additional steps for CodeTwo Backup

If you're using CodeTwo Backup, you first need to stop CodeTwo Backup Service before proceeding. To do so:

  • Close the program, go to Control Panel > Administrative Tools > Services, and find CodeTwo Backup Service on the list of services (Fig. 2.).

Locating CodeTwo Backup Service.
Fig. 2. Locating CodeTwo Backup Service.

  • Right-click it and select Stop.

Once you've completed all the steps below, restart the service by right-clicking it in the Services window and selecting Start

  1. Sign in to your Windows system as the local admin that uses CodeTwo software.
  2. Open Windows Command Prompt (Start > All Programs > Accessories > Command Prompt).
  3. Type the following command:
    certutil -urlcache * delete
    and press Enter.
  4. Go to the Windows directory (it’s usually located in C:\Windows but you can quickly find it by opening the Run dialog box and typing %windir%).
  5. Delete the contents of the following directories:
    %windir%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
    %windir%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    %windir%\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
    %windir%\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    %windir%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
    %windir%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData

    Important

    If you don't see these folders, you need to enable hidden folders first. To do so, go to Control Panel > Appearance and Personalization > Folder Options and, on the View tab, select the Show hidden files and folders checkbox and clear the Hide protected operating system files checkbox. Click OK to apply.

You should now be able to use your CodeTwo product without any problems. 

Changing the DNS settings for your network adapter 

Incorrect DNS settings may also prevent CodeTwo software from connecting to the licensing service. If, for example, you have recently changed your ISP, you should also update DNS records in case they are pointing to the old IP addresses. Contact your network administrator for the correct IP addresses or try using the IP addresses of third-party DNS providers like Google Public DNS or OpenDNS. To update DNS records:

  1. Go to Control Panel > Network and Sharing Center > Change adapter settings.
  2. Right-click your network adapter and select Properties.
  3. Select Internet Protocol Version 4 (TCP/IPv4) and once again click Properties.
  4. Select the Use the following DNS server addresses and either enter the IP addresses of your ISP or, for example:
    • Google DNS:
      primary: 8.8.8.8
      secondary: 8.8.4.4
    • OpenDNS:
      primary: 208.67.222.222
      secondary: 208.67.220.220
  5. Click OK to save changes.

Once done, restart your computer. After doing so, your CodeTwo software should have no problems with obtaining the licensing information.

Manually installing the intermediate certificate in the correct store

CodeTwo's SSL certificate cannot be validated if the GoDaddy/DigiCert intermediate certificate is missing from a certificate store on your machine. Normally, the required intermediate certificate is installed automatically with CodeTwo backup or migration software. However, in some rare scenarios, it might be required to install it manually. Follow the steps below to install right intermediate certificate in the correct store.

Warning

Different store location is used for CodeTwo migration software and different for CodeTwo Backup, as shown in step 5 below. 

  1. Go to your CodeTwo program's installation folder. The default installation paths are:
    CodeTwo Office 365 Migration 
    C:\Program Files (x86)\CodeTwo\Office 365 Migration
    CodeTwo Exchange Migration 
    C:\Program Files (x86)\CodeTwo\Exchange Migration
    CodeTwo Backup
    C:\Program Files\CodeTwo\CodeTwo Backup\
  2. Find the C2.Licensing.PublicClient.dll file, right-click it and select Properties (Fig. 3.).

Showing the properties of the C2.Licensing.PublicClient.dll file.
Fig. 3. Showing the properties of the C2.Licensing.PublicClient.dll file.

  1. Go to the Digital Signatures tab, double-click CodeTwo Sp. z o.o. Sp. k. on the list, and then click View Certificate in the window that opens, as shown in Fig. 4.

Accessing the CodeTwo certificate.
Fig. 4. Accessing the CodeTwo certificate.

  1. Go to the Certification Path tab, double-click:
    • DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 (CodeTwo Backup, as shown in Fig. 5.)
    • Go Daddy Secure Certificate Authority - G2 (CodeTwo Office 365 Migration or CodeTwo Exchange Migration),
    and then click Install Certificate.

Installing intermediate certificate.
Fig. 5. Installing intermediate certificate.

  1. In the Certificate Import Wizard, select:
    • Current User if you're using CodeTwo Office 365 Migration or CodeTwo Exchange Migration (Fig. 6., item A),
    • Local Machine if you're using CodeTwo Backup (Fig. 6., item B).

    Warning

    Don't make a mistake here. If you select a wrong location, you won't be able follow the same steps to install the certificate to a different store until you delete the certificate manually from the store. 

Selecting the right certificate store for your CodeTwo product.
Fig. 6. Selecting the right certificate store for your CodeTwo product.

  1. In the next step, choose Automatically select the certificate store based on the type of certificate, then click Next and Finish to install the certificate. 

Once you are notified that the certificate was imported successfully, you should be able to use your CodeTwo product without any problems.

If this solution didn't work, go back to step 4 and install theroot certificate (DigiCert Trusted Root G4 or Go Daddy Root Certificate Authority - G2) the same way.

Was this information useful?