none
Exchange server 2010 "The revocation function was unable to check revocation because the revocation server was offline"

    Pregunta

  • Hi there,

    I'm currently building my Exchange server 2010 environment and have an issue with importing my internal CA certificate.
    There is an error message in the EMC console saying "The certificate status could not be determined because the revocation check failed"
    I've read many forums about proxy servers but i dont think proxy is relevent to this because the CA is internal.
    I've run this command to verify:

    certutil -verify -urlfetch C:\cert-renew.cer

    in the log i get an error:

      Revocation Check Failed "Certificate (0)" Time: 0
        [1.0] http://internalCAauthorityserver/CertEnroll/internalCAauthorityserver_CAorganization.crt

    However when i enter this URL in IE i am successfully able to access this.

    I have also tried this command on other internal certs and get the same error which leads me to believe there is something wrong with our internal CA authority server but not sure where to look.
    has anybody come across an issue similar to this?
    or is there a way to disable the CRL revocation check in Exchange?

    WingaDean

    viernes, 27 de abril de 2012 5:55

Respuestas

  • Ok got this working now, below are the steps:

    1. Turn on offline RootCA
    2. Publish new CRL from RootCA
    3. Copy new CRL file into the IssuingCA pki IIS directory
    4. restart certificate services. steps 1-4 fixed the CDP location 1 for http
    5. ran this command to fix the ldap location: certutil -dspublish -f MyOrg.crl
    6. restart certificate services
    7. restart Exchange server

    now the cerificate under EMC looks valid.

    • Marcado como respuesta wingadean miércoles, 02 de mayo de 2012 2:30
    miércoles, 02 de mayo de 2012 2:30

Todas las respuestas

  • I'm unclear what you are attempting to do here. Are you adding your Internal CA certificate as a trusted root on your Exchange server? If so, if your internal CA is an Enterprise CA that integrates with Active Directory then typically, Group Policy already pushes that out to all computers in the domain.

    If you are doing the import manually, what method are you using?

    The internal CA certificate is not imported into Exchange.


    Byron Wright (http://byronwright.blogspot.com)

    viernes, 27 de abril de 2012 14:16
  • I have changed the self signed cert to a cert from my internal CA.
    I have imported the certificate successfully and assigned services to the cert using powershell but in EMC under server configuration there is an error on the certificate and it says:
    "The certificate status could not be determined because the revocation check failed"

    domingo, 29 de abril de 2012 4:52
  • First, how many CAs do you have?

    Just one?

    One offline Root CA and then an Issuing CA?

    In other words, what's your PKI topology?


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    domingo, 29 de abril de 2012 9:38
  • We have one CA where the root CA is offline and one issuing CA which is onine.
    When using pkiview.msc, I have noticed that under the root CA, there are 2 CDP locations and they are both expired.
    One points to a http location and the other points to an ldap location.
    Could it be that when Exchange does the revocation check from the CDP location, it fails because the locations have expired?

    lunes, 30 de abril de 2012 0:44
  • That could be.

    You might want to post in this forum:

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads

    They have some excellent PKI experts that have helped me in the past.

    You may have to export a certificate from the offline Root CA and then import into the online Issuing CA as well as update CRLs.

    Best bet in my opinion would be to post in that forum for PKI problems.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    lunes, 30 de abril de 2012 9:57
  • Thanks for that, i've reposted the same issue on the security forum.
    in Exchange 2010 is there a way to disable the revocation check?
    it only shows as an error in EMC, if i just leave it like this the functionality is still there or do you know if this can cause any issues in the future?

    martes, 01 de mayo de 2012 1:23
  • Hi,
    The best you can do is to solve the problem you have with your CA, so asking in the Windows Security Forum was a good suggestion from Le Pivert.

    If you have a proxy server on the network, your problem might be solved having WinHTTP bypass your proxy server for HTTP and HTTPS traffic.

    See: "The certificate status could not be determined because the revocation check failed"
    http://support.microsoft.com/kb/979694

    ...and some additional information

    EMC and certificates with failed revocation checks in Exchange 2010
    http://blogs.technet.com/b/exchange/archive/2010/07/26/emc-and-certificates-with-failed-revocation-checks-in-exchange-2010.aspx


    Martina Miskovic

    martes, 01 de mayo de 2012 5:58
  • Are you able to successfully assign services to the certificate? If so, when you browse to OWA using a name on the certificate, do you get certificate errors in the browser? If not, then the revocation check error can be ignored. I have seen this a couple of times on deployments, where the certificate is fine, but EMC/EMS displays that it isn't because of revocation checks. If this is the case with you, it is ultimately just a display issue, and can be safely ignored.

    http://jaworskiblog.com

    martes, 01 de mayo de 2012 20:17
  • I've found a solution where i need to republish a new CRL in the CA console

    http://technet.microsoft.com/en-us/library/cc782041(v=WS.10).aspx

    Think this is the answer but im not too good wtih certs so i've logged a call with PSS just to make sure as i dont want to break my existing certs.

    Martina, I've seen both those links but dont think they are relevent because the certificate is from an internal CA and not a third party cert so the proxy shouldnt be relevent. From the Exchange server i can manually open the CRL file from the internal CA so dont think its a transient error.

    Scott, i have been able to successfully assign services to the cert through powershell and the certificate works as i have tested this through OWA. So if this is just a warning in EMC then i should be good, however i still would like to get rid of the error message.
    Ill update this when i hear back from PSS.

    miércoles, 02 de mayo de 2012 0:05
  • Ok got this working now, below are the steps:

    1. Turn on offline RootCA
    2. Publish new CRL from RootCA
    3. Copy new CRL file into the IssuingCA pki IIS directory
    4. restart certificate services. steps 1-4 fixed the CDP location 1 for http
    5. ran this command to fix the ldap location: certutil -dspublish -f MyOrg.crl
    6. restart certificate services
    7. restart Exchange server

    now the cerificate under EMC looks valid.

    • Marcado como respuesta wingadean miércoles, 02 de mayo de 2012 2:30
    miércoles, 02 de mayo de 2012 2:30