Exchange 2010: Certificate Revocation Issue
“The certificate status could not be determined because the revocation check failed”
Issue:
On a windows 2008 R2 and Exchange 2010 SP2 RU2, after importing the certificate via EMC on a new server, certificate is showing red circled cross and shows the status
“The certificate status could not be determined because the revocation check failed”
Troubleshooting:
Exported the cert from other server and imported on this new server
Exported the cert from one other server and imported on this new server
Configured the proxy on internet explorer and selected checkbox “Bypass proxy server for local addresses”
Exported the cert from other server and imported on this new server
Open certificates (local computer) and verified the chain is in place in intermediate and root cert authority.
Open the cmd prompt with run as administrator and Run the cmd
netsh winhttp show proxy
But got the below output which was saying no proxy configured
So ran the following cmd as per kb http://support.microsoft.com/kb/979694?wa=wsignin1.0
netsh winhttp set proxy proxy-server=”http=myproxy” bypass-list=”*.host_name.com”
Now cmd “netsh winhttp show proxy” was showing the proxy details.
Ran the following cmd to Clear the URL cache
certutil -urlcache crl delete
certutil -urlcache ocsp delete
Ran the following cmd to Clear and Force re-sync of cache
certutil -setreg chainchaincacheresyncfiletime @now
Ran the following cmd to Check validity of the URLS in the cert
certutil -verify -urlfetch C:CertName.cer
I found this cert some issue and I got the below output
LoadCert(Cert) returned ASN1 unexpected end of data. 0x80093102 (ASN:258)
CertUtil: -verify command FAILED: 0x80093102 (ASN: 258)
CertUtil: ASN1 unexpected end of data.
I decided to change the certificate. I have 14 CHM servers in the Exchange 2010 Org so I decide to export the certificate from other server xxxxx09 for xxxxx15. This worked. Odd number to odd number
But the same cert didn’t work for xxxxx14.
Now I exported the cert from xxxxx08 for xxxxx14. This worked. Even number to even number.
Our cert is a usertrust.com certificate.
Resolution:
Import the working certificate.
Conclusion:
This troubleshooting tells me that we should use the certificate which we download or receive from the vendor and sometimes export of the certificate may work for one server but not for other server.
Prabhat Nigam (Wizkid)
Team@ MSExchangeGuru
May 2nd, 2013 at 9:28 am
Hi have the same issue.
Ran the following (but didnt restart the services/exchange):
netsh winhttp set proxy proxy-server=”http=172.19.10.17:8090;https=172.19.10.17:8090” bypass-list=”*.domain.co.uk”
then got error logging into exchange.
fixes:
step1 of http://blogs.technet.com/b/whats_on_scotts_mind_today/archive/2012/12/07/exchange-2010-unable-to-open-exchange-management-console-initialization-failed.aspx
and
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26594446.html
And exchange is working, but now back to square 1 – the revocation problem..
Ideas?
May 2nd, 2013 at 11:11 am
@Gary – Try my solution
May 2nd, 2013 at 11:44 am
Can i use the same cert on more than 1 exchange server in the same domain but different subnet?
May 2nd, 2013 at 11:50 am
yes
May 19th, 2015 at 4:35 am
Hi friend
please make a correction the actual command for Clear and Force re-sync of cache is “certutil -setreg chain\chaincacheresyncfiletime @now”
August 5th, 2015 at 5:52 am
wordpress removes the \ so your suggestion is correct but can’t update as I posted correct.
January 27th, 2017 at 12:50 pm
I don’t use a proxy server, and if you do that is usually the culprit. However, I found it to be the Symantec firewall. Turned it off on the one server, implementing hardware firewall and all is well.