EMC and certificates with failed revocation checks in Exchange 2010


Starting with Exchange Server 2007, we added protection for Exchange data paths to Client Access Servers using SSL. SMTP communication between transport servers is also protected using TLS. To ensure this protection is enabled out-of-the-box, Exchange setup creates self-signed certificates and enables SSL and TLS by default. For external communication, we recommend that you procure certificates signed by a Certification Authority (CA) that is trusted by clients.

In Exchange 2010, we introduced new certificate management interfaces in the Exchange Management Console (EMC). Using the new certificate wizards in EMC, you can:

The status of a certificate that’s displayed in EMC is returned by the Get-ExchangeCertificate cmdlet. For CA-signed certificates, the certificate’s revocation status is checked in the Certificate Revocation List (CRL) published by the CA.

If Exchange can’t access the CRL, the certificate status is returned as RevocationCheckFailure by the shell. In EMC this is displayed as The certificate status could not be determined because the revocation check failed.

Screenshot: Status of certificate with revocation check failed
Figure 1: The status of a certificate with a failed certificate revockation check is displayed as 'The certificate status could not be determined because the revocation check failed.'

This can occur due to a number of reasons, for example:

  • Transient network connectivity failure or Internet outage
  • Network or proxy misconfiguration, or a firewall rule preventing Internet access
  • Intentional blocking of Internet connectivity from the server
  • Failure of CRL server
  • Issues with CA certificate

A failure to check certificate revocation status is different from a revoked certificate, where the CRL published by the CA has been checked and the certificate found to be revoked. For revoked certificates, the certificate status is explicitly returned as revoked.

Revoked certificate status in EMC
Figure 2: The status of a revoked certificate is displayed as 'This certificate is invalid for Exchange Server usage.'

Screenshot: Revoked certificate properties
Figure 3: Certificate properties of a revoked certificate indicate the certificate has been revoked

When a certificate fails a revocation check due to any of the above reasons, the EMC prevents you from assigning the certificate to any Exchange service. Note, this does not impact certificates that have already been assigned to Exchange services. The services will continue to function.

If the failure is due to a transient condition, you can retry when the server has Internet connectivity and can access the CRL. If it’s caused by network misconfiguration, you can retry after the issue has been resolved and Internet connectivity restored.

If you need to enable the certificate that’s in the RevocationCheckFailure status, you can use the Enable-ExchangeCertificate cmdlet from the shell. The EMC is more restrictive in how it treats certificates with a failed revocation check. It errs on the side of caution to prevent a revoked certificate from being assigned to a service, and thus impacting service.

We’ve received feedback from customers that you would like to be warned about a revocation check failure for a certificate, but still be able to assign the certificate to Exchange services from EMC. We’re considering the change in EMC behavior for a future release.

Bharat Suneja

Comments (10)
  1. Paul Mitchell says:

    Thank you, thank you, thank you! Just ran into this recently, and we couldn’t figure it out. Managing certificates is much easier in Exchange 2010 – thanks for adding this to EMC, and for this excellent team blog!

  2. Mike Miller says:

    Will the EMC’s changed behavior be in a roll-up? Good to know Enable-Exchange cmdlet works for now.

  3. When I first encountered this I changed the proxy config for the server to use my user settings, which allowed the CRL check to take place.

    I would caution anyone thinking of trying that though, if your proxy settings cause your connection to the Exchange server itself to be blocked you won’t be able to access the EMC or Shell at all until you change the proxy config back again.

  4. Bharat Suneja [MSFT] says:

    @Paul Mitchell: Thank you!

    @Mike: It’s being considered. We regularly blog here about update rollups and service packs, and as seen in recent posts we call out the important updates.

    @Paul Cunningham: Thanks for sharing!

  5. prove says:

    Now that’s the info i’ve been searching for a long time. Many Thanks to You guys!

  6. I would like to add the following two KB articles related to the certificates.

    Error message when you import a third-party certificate into Exchange Server 2010: "The certificate status could not be determined because the revocation check failed"

    http://support.microsoft.com/kb/979694

    How to assign a private key to a new certificate after you use the Certificates snap-in to delete the original certificate in Internet Information Services

    http://support.microsoft.com/kb/889651

  7. Jay Rodz says:

    I did not had the Internet connection until today. Is it an inmediate check done by the system to validate the certificate or I need to force or wait some time?

  8. Jay Rodz says:

    Looks like it take some time. Now I am seeing it validated. Thanks anyway.

  9. Ilya D. says:

    Just wanted to comment that I had this exact issue.  No matter what I did certificate always showed that it could no be checked.  Did the winhttp proxy check and it showed was direct connection.  However, something in my network was making ALL winhttp traffic go through my ISA 2006.  I ended up adding a rule that allowed all users and anonymous full access to the revocation list (for me *.godaddy.com) and boom certificate checked fine.  However, until I found this out I used the command mentioned above to force use of certificate and it worked great.

  10. Joe S. says:

    I’m having an issue where my Client Access Server has Direct Access. I don’t use a proxy server to get to the Internet. I’ve assigned a certificate from an Internal Microsoft PKI CA server and it still fails to verify the certificate status because the revocation check failed.

    OS-Windows Server 2008 R2

    Exchange 2010 RTM Client Access Role installed – only role

    Any tips?

    I’ve gone into IEInternet OptionsConnectionsLAN Settings Local Area Network (LAN) Settings

    I’ve checked Use a proxy server for your LAN. Then, Ticked the box to "Bypass proxy server for local addresses", I’ve even clicked "Advanced" and in the Exceptions entered *.localdomain of the domain the Issuing CA is in and the *.localdomain this Client Access Server is in.

    Then I UnTick the box "Use a proxy server for your lan". Since I don’t want to use a proxy because this server has Direct Access.

    Again this is trying to verify the status of an internally assigned PKI Certificate.

    When I open the certificate and get the http address for where the CRL is located and copy and paste that into Internet Explorer it prompts me if I want to Open/Save/Cancel so I can get to that site.

    When I open ADSI on this server to verify the LDAP path of the crl in the configuration partition I find it there successfully.

    Any help is greatly appreciated.

    Joe S.

Comments are closed.

Skip to main content