MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Exchange 2010: Certificate Revocation Issue


“The certificate status could not be determined because the revocation check failed”

Issue:

On a windows 2008 R2 and Exchange 2010 SP2 RU2, after importing the certificate via EMC on a new server, certificate is showing red circled cross and shows the status

“The certificate status could not be determined because the revocation check failed”

 

 

 

 

Troubleshooting:

Exported the cert from other server and imported on this new server

Exported the cert from one other server and imported on this new server

Configured the proxy on internet explorer and selected checkbox “Bypass proxy server for local addresses”

Exported the cert from other server and imported on this new server

Open certificates (local computer) and verified the chain is in place in intermediate and root cert authority.

Open the cmd prompt with run as administrator and Run the cmd

netsh winhttp show proxy

But got the below output which was saying no proxy configured


So ran the following cmd as per kb http://support.microsoft.com/kb/979694?wa=wsignin1.0

netsh winhttp set proxy proxy-server=”http=myproxy” bypass-list=”*.host_name.com”

Now cmd “netsh winhttp show proxy” was showing the proxy details.

Ran the following cmd to Clear the URL cache

certutil -urlcache crl delete

certutil -urlcache ocsp delete

Ran the following cmd to Clear and Force re-sync of cache

certutil -setreg chainchaincacheresyncfiletime @now

Ran the following cmd to Check validity of the URLS in the cert

certutil -verify -urlfetch C:CertName.cer

I found this cert some issue and I got the below output

    LoadCert(Cert) returned ASN1 unexpected end of data. 0x80093102 (ASN:258) 

  CertUtil: -verify command FAILED: 0x80093102 (ASN: 258)

  CertUtil: ASN1 unexpected end of data.

I decided to change the certificate. I have 14 CHM servers in the Exchange 2010 Org so I decide to export the certificate from other server xxxxx09 for xxxxx15. This worked. Odd number to odd number

But the same cert didn’t work for xxxxx14.

Now I exported the cert from xxxxx08 for xxxxx14. This worked. Even number to even number.

Our cert is a usertrust.com certificate.

Resolution:

Import the working certificate.

Conclusion:

This troubleshooting tells me that we should use the certificate which we download or receive from the vendor and sometimes export of the certificate may work for one server but not for other server.

Prabhat Nigam (Wizkid)
Team@ MSExchangeGuru

 

7 Responses to “Exchange 2010: Certificate Revocation Issue”

  1. gary Says:

    Hi have the same issue.

    Ran the following (but didnt restart the services/exchange):

    netsh winhttp set proxy proxy-server=”http=172.19.10.17:8090;https=172.19.10.17:8090” bypass-list=”*.domain.co.uk”

    then got error logging into exchange.

    fixes:
    step1 of http://blogs.technet.com/b/whats_on_scotts_mind_today/archive/2012/12/07/exchange-2010-unable-to-open-exchange-management-console-initialization-failed.aspx
    and
    http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26594446.html

    And exchange is working, but now back to square 1 – the revocation problem..

    Ideas?

  2. Wizkid Says:

    @Gary – Try my solution

  3. gary Says:

    Can i use the same cert on more than 1 exchange server in the same domain but different subnet?

  4. Wizkid Says:

    yes

  5. Hasnain Says:

    Hi friend

    please make a correction the actual command for Clear and Force re-sync of cache is “certutil -setreg chain\chaincacheresyncfiletime @now”

  6. Prabhat Nigam Says:

    wordpress removes the \ so your suggestion is correct but can’t update as I posted correct.

  7. UW Says:

    I don’t use a proxy server, and if you do that is usually the culprit. However, I found it to be the Symantec firewall. Turned it off on the one server, implementing hardware firewall and all is well.

Leave a Reply

Categories

Archives

MSExchangeGuru.com