Knowledgebase: SSL Technical FAQs

Exchange 2010 for The Certificate Status Could Not Be Determined Because the Revocation Check Failed

Question:
After I have imported a Comodo certificate through the Exchange Management Console (EMC), I am unable to assign it any services due to the error message of: "The certificate status could not be determined because the revocation check failed."

Answer:
This can be caused by any number of different reasons:


  1. Lack of network connectivity or Internet Outage

  2. Network or proxy misconfiguration: See MS KB ID 979694

  3. Intentional blocking of Internet connectiopn from the server.

  4. CRL/OCSP issues with the CA.

  5. Stale or out of date CRL information.

  6. Missing or incomplete CA certificate(s) on server.


Troubleshooting steps:

  1. Verify that all certificates in the hierarchy are installed.

  2. Verify network & Internet connectivity.

  3. Verify connectivty to the CRL and OCSP URLs for all certificates in the certificate's hiearchy. (using a browser)

  4. Ensure that appropriate proxy settings are being used by Exchange. (Recommended, works 99.999% of the time) See MS KB ID 979694. Useful if you're using MS ISA or TMG!!

  5. Refresh CRL cache. See How to refresh the CRL cache on Windows (Windows PKI Blog)


If all else fails, use the 'Enable-ExchangeCertificate' cmdlet to enable the services for your certificate as this less restrictive than the EMC. See Assigning/Enable additional services on an existing certificate (Comodo Support) for more information on how to do this.

Sources:


  1. Error message when you import a third-party certificate into Exchange Server 2010: "The certificate status could not be determined because the revocation check failed" (Microsoft Support)

  2. EMC and certificates with failed revocation checks in Exchange 2010 (Exchange Team Blog)

  3. How to refresh the CRL cache on Windows Vista (Windows PKI Blog)

(1922 vote(s))
Helpful
Not helpful
Comments (0)