How to resolve Exchange 2010 error message: The Certificate Status could not be determined because the revocation check failed

September 20, 2011

The following error/s may appear in the Exchange 2010 Management Console:

Exchange 2010 Certificate Revocation Checks and Proxy Settings” or “The Certificate Status could not be determined because the revocation check failed

Cause:

1. You may use a Proxy server that block access to the CRL.

2. The CRL isn’t available.

How to Debug this issue:

Obtain any (current) certificate from the Certificate Authority and run the following command:

certutil –verify –urlfetch C:\CertificateName.cer >Log.txt

Usually you may find out issues like errors messages on expired CRL or Offline CA.

Resolutions:

1. Review Proxy settings by using “netsh winhttp show proxy

You can reset the proxy settings by using the commands:

netsh winhttp reset proxy
netsh winhttp reset tracing

Note: You can also add Proxy exceptions (e.g. The CRL location) by using the following commands:

netsh winhttp import proxy ie

netsh winhttp set proxy proxy-server=http://192.168.1.1:80 bypass-list=”crlserver.DomainName.local

netsh winhttp set proxy proxy-server=http://192.168.1.1:443 bypass-list=”crlserver.DomainName.local

2. Review the current CRL settings in the Active Directory by using:

Quick Check on ADCS Health Using Enterprise PKI Tool (PKIVIEW)

Usually, if you are using a Offline CA (Root CA for example), you may find out that the current CRL was expired.

Usually its recommended to change the CRL expire date in the relevant CA and then re-publish the CRL.

Then, import the CRL into the Active Directory by using the command:

certutil -f -dspublish CRLFileName.crl

3. If the CRL is published to a File Share and/or Web Server (HTTP/s), please verify that the URL paths exits and aren’t blocked by third party system (e.g. Firewall, Antivirus, IPS etc.) Its also recommended to verify that no NTFS/Share permissions blocked access to the CRL.

4. Reset urlcache by using the following power shell commands:

certutil -urlcache ocsp delete
certutil -urlcache crl delete

5. Reset the Exchange Internet Web Proxy to null by using the following power shell command:

Set-ExchangeServer  -InternetWebProxy $NULL

6. Delete MMC cache files from:

C:\Users\%username%\AppData\Roaming\Microsoft\MMC

7. Verify that CRL for Root & SubCA URL’s/Paths are current. Also,

8. Verify that the Root CA Certificate was added to the computer Trusted Root CA Store.

Also, verify that the SubCA Certificate was added to the computer Intermediate CA Store.

9. As a temporary workaround, you can enable the required certificate by using Exchange Power Shell command: Enable-ExchangeCertificate

However, this workaround wouldn’t resolved the error message, but would enable you to assign the certificate to the Exchange services.

For farther information, please review: Certificate Revocation and Status Checking

Add comment
facebook linkedin twitter email

Leave a Reply