none
exchange certificate error

    Pertanyaan

  • Please i need help to resolve issues on my exchange server. EMC->Server configuration gives this message :

    the certificate status could not be determined because the revocation check failed.  I later run tests on www.testexchangeconnectivity.com and i had below message:

     

    ExRCA is testing Exchange ActiveSync.
      The Exchange ActiveSync test failed.
     
    Test Steps
     
    Attempting the Autodiscover and Exchange ActiveSync test (if requested).
      Testing of Autodiscover for Exchange ActiveSync failed.
     
    Test Steps
     
    Attempting each method of contacting the Autodiscover service.
      The Autodiscover service couldn't be contacted successfully by any method.
     
    Test Steps
     
    Attempting to test potential Autodiscover URL https://domain.com/AutoDiscover/AutoDiscover.xml
      Testing of this potential Autodiscover URL failed.
     
    Test Steps
     
    Attempting to resolve the host name domain.com in DNS.
      The host name resolved successfully.
     
    Additional Details
      IP addresses returned: x.x.x.x
    Testing TCP port 443 on host domain.com to ensure it's listening and open.
      The port was opened successfully.
    Testing the SSL certificate to make sure it's valid.
     

    The SSL certificate failed one or more certificate validation checks.

    Certificate name validation failed

     

     

    21 Juni 2012 14:41

Jawaban

  • www.testexchangeconnectivity.com will fail because it does not not support private certificates.

    The problem is your internal certificate authority. You to ensure that the CRL locations listed on the certificate is avaialble. Ideally you would like to configure the CRL location to be HTTP based. The problem here is your AD CS (PKI) platform. Not the certificate itself or Exchange


    Casper Pieterse, Principle Consultant - UC, Dimension Data North America, Microsoft Certified Master: Exchange 2007 / 2010

    22 Juni 2012 13:27
  • Unless you fix the CRL location it will continue to do so. The CRL location is embedded within the certificate (you can find it under certificate properties). Make sure that it is reachable and up to date.

    Exchange will verify the CRL location before allowing you to use the certificate.

    You will need to fix your AD CS environment before you can use the internally issued certificates with your Exchange environment.


    Casper Pieterse, Principle Consultant - UC, Dimension Data North America, Microsoft Certified Master: Exchange 2007 / 2010

    25 Juni 2012 13:28

Semua Balasan

  • Hello,

    Do you encounter any real issues about the certificates on the Exchange server or clients?

    What’s the type of the certificate do you use?

    I would use the following command to see if all the necessary name is included in the certificate or whether it is enabled on the right service:

    Get-ExchangeCertificate |FL

    Thanks,

    Simon

    22 Juni 2012 2:20
  • Hi

    Does your exchange server have direct access to the internet to perform the CRL lookup?

    If you are using a proxy you may need to run the following command to set it as exchange does not use your IE proxy details.

    e.g.

    netsh winhttp set proxy proxy-server="http=myproxy;https=sproxy:88" bypass-list="*.mydomain.com"

    Make sure you enter the bypass-list otherwise you may find the EMC console will not start, found out that the hard way :)

    Hope that is of some use

    22 Juni 2012 3:10
  • Hello,

    Please see output of the command and help me please

    [PS] C:\Windows\system32>Get-ExchangeCertificate |FL


    AccessRules        :
    CertificateDomains : {SERVER.domain.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=noblecert, DC=domain, DC=com
    NotAfter           : 9/14/2012 5:22:11 PM
    NotBefore          : 9/15/2011 5:22:11 PM
    PublicKeySize      : 1024
    RootCAType         : Enterprise
    SerialNumber       : 1B774978000000000011
    Services           : None
    Status             : RevocationCheckFailure
    Subject            : CN=SERVER.domain.com
    Thumbprint         : 9C15544C0186CA51F3DAD091ACC8A1F7BBCB4BE4

    AccessRules        :
    CertificateDomains : {SERVER, SERVER.domain.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=SERVER
    NotAfter           : 2/5/2016 7:16:23 PM
    NotBefore          : 2/5/2011 7:16:23 PM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : 51763F715B5981BF452DAEB41C5AA32C
    Services           : IMAP, POP, IIS, SMTP
    Status             : Valid
    Subject            : CN=SERVER
    Thumbprint         : 771CA5F06462E644D6473EF43DA7C109B5DECC62

    AccessRules        :
    CertificateDomains : {WMSvc-SERVER}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=WMSvc-SERVER
    NotAfter           : 2/2/2021 5:35:29 PM
    NotBefore          : 2/5/2011 5:35:29 PM
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : 664D30AFC84113964C9CABFAABF03050
    Services           : SMTP
    Status             : Valid
    Subject            : CN=WMSvc-SERVER
    Thumbprint         : 054B3F05FA66BA5D43AD453CB0657E8AEB32EE41

     

    [PS] C:\Windows\system32>

    22 Juni 2012 10:46
  • www.testexchangeconnectivity.com will fail because it does not not support private certificates.

    The problem is your internal certificate authority. You to ensure that the CRL locations listed on the certificate is avaialble. Ideally you would like to configure the CRL location to be HTTP based. The problem here is your AD CS (PKI) platform. Not the certificate itself or Exchange


    Casper Pieterse, Principle Consultant - UC, Dimension Data North America, Microsoft Certified Master: Exchange 2007 / 2010

    22 Juni 2012 13:27
  • Also you are currently using the self signed certificate.

    AccessRules        :
    CertificateDomains : {SERVER, SERVER.domain.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=SERVER
    NotAfter           : 2/5/2016 7:16:23 PM
    NotBefore          : 2/5/2011 7:16:23 PM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : 51763F715B5981BF452DAEB41C5AA32C
    Services           : IMAP, POP, IIS, SMTP
    Status             : Valid
    Subject            : CN=SERVER
    Thumbprint         : 771CA5F06462E644D6473EF43DA7C109B5DECC62

    If the certificate that is not self signed is from a known trusted vendor such as Digicert, Verisign, Thawte, etc then you just need to enable that certificate for those services.

    Enable-ExchangeCertificate -Thumbprint 9C15544C0186CA51F3DAD091ACC8A1F7BBCB4BE4 -Services IMAP,POP,IIS,SMTP

    If that certificate is an internal CA then you will still get failed results from the Remote Connectivity Analyzer as it does not trust the certificate either. This doesn't mean it won't work, just means that you would have to ensure any device or computer that connects, trust that certificate chain.


    Chris Morgan

    22 Juni 2012 20:19
  • Hello,

    I ran the command to enable services for the thumbprint but the error stil lshows in exchange emc->server configuration(the certificate status could not be determined because the revocation check failed)

    Please help

    24 Juni 2012 11:35
  • Unless you fix the CRL location it will continue to do so. The CRL location is embedded within the certificate (you can find it under certificate properties). Make sure that it is reachable and up to date.

    Exchange will verify the CRL location before allowing you to use the certificate.

    You will need to fix your AD CS environment before you can use the internally issued certificates with your Exchange environment.


    Casper Pieterse, Principle Consultant - UC, Dimension Data North America, Microsoft Certified Master: Exchange 2007 / 2010

    25 Juni 2012 13:28