none
TLS certificate validation - RevocationOffline

    Question

  • Hi,

    I am setting up an Edge Transport server without using EdgeSync. I have successfully enabled TLS certificates on both internal Hub Transport Servers, and also on the Edge Transport server, using my Internal PKI. For the edge server, I have imported the Trusted Root CA certificate chain from my PKI.

    I can send email externally OK. However, when I receive email from the internet and the Edge relays to the Hub, I receive an error that the Edge transport cannot validate the certificate of the Hub, specifically the error is "RevocationOffline"

    I have checked the certificates on all servers, and they have LDAP, HTTP and File "CRL Distribution Points" defined.

    On the CA, I note that for the HTTP CDP, the option to "Publish CRLs to this location" is greyed out. However, the options for "Include in CRLs" and "Include in the CDP extension of issued certificates" is ticked. For file, everything except the last and second option are ticked. For LDAP, all but the last option is ticked.

    I have allowed confirmed access to the HTTP location and also the file location from the Edge server. However, I still recieve the error "RevocationOffline".

    How come the option to Publish to HTTP CDP is greyed out, this is my next thought of where the problem lies.

    Does anyone have any other ideas or solutions?

    Saturday, June 16, 2012 5:02 AM

Answers

All replies

  • When I view the certificate 

    It lists the "CRL Distribution Points" types

    LDAP, FILE, and HTTP

    I can browse to http path specified eg. http://server.domain.com/certenrol/ca_name.crl

    When I download the CRL file at this location and view it in "Published CRL Locations" it only lists the LDAP path.

    I am not sure if this is a problem or not.

    Saturday, June 16, 2012 5:11 AM
  • Hi merlus,

    Please refer to below information :
    Selection of Inbound Anonymous TLS Certificates 
    Please confirm you have installed the ADLDS on the edge server.

    Regards!

    Gavin

    TechNet Community Support


    Wednesday, June 20, 2012 6:28 AM
    Moderator