Starting with Exchange Server 2007, we added protection for Exchange data paths to Client Access Servers using SSL. SMTP communication between transport servers is also protected using TLS. To ensure this protection is enabled out-of-the-box, Exchange setup creates self-signed certificates and enables SSL and TLS by default. For external communication, we recommend that you procure certificates signed by a Certification Authority (CA) that is trusted by clients.
In Exchange 2010, we introduced new certificate management interfaces in the Exchange Management Console (EMC). Using the new certificate wizards in EMC, you can:
- Generate certificate signing request (CSR) to request a certificate signed by a CA
- Complete the pending certificate request when you receive a certificate signed by the CA
- Assign Exchange services to the certificate.
- Renew certificates
- Export a certificate with its private key (the private key must be marked as exportable when creating the certificate, the default for certificate signing requests generated by using the EMC).
- Import certificates with a private key
- View certificate properties
The status of a certificate that’s displayed in EMC is returned by the Get-ExchangeCertificate cmdlet. For CA-signed certificates, the certificate’s revocation status is checked in the Certificate Revocation List (CRL) published by the CA.
If Exchange can’t access the CRL, the certificate status is returned as RevocationCheckFailure by the shell. In EMC this is displayed as The certificate status could not be determined because the revocation check failed.
Figure 1: The status of a certificate with a failed certificate revockation check is displayed as 'The certificate status could not be determined because the revocation check failed.'
This can occur due to a number of reasons, for example:
- Transient network connectivity failure or Internet outage
- Network or proxy misconfiguration, or a firewall rule preventing Internet access
- Intentional blocking of Internet connectivity from the server
- Failure of CRL server
- Issues with CA certificate
A failure to check certificate revocation status is different from a revoked certificate, where the CRL published by the CA has been checked and the certificate found to be revoked. For revoked certificates, the certificate status is explicitly returned as revoked.
Figure 2: The status of a revoked certificate is displayed as 'This certificate is invalid for Exchange Server usage.'
Figure 3: Certificate properties of a revoked certificate indicate the certificate has been revoked
When a certificate fails a revocation check due to any of the above reasons, the EMC prevents you from assigning the certificate to any Exchange service. Note, this does not impact certificates that have already been assigned to Exchange services. The services will continue to function.
If the failure is due to a transient condition, you can retry when the server has Internet connectivity and can access the CRL. If it’s caused by network misconfiguration, you can retry after the issue has been resolved and Internet connectivity restored.
If you need to enable the certificate that’s in the RevocationCheckFailure status, you can use the Enable-ExchangeCertificate cmdlet from the shell. The EMC is more restrictive in how it treats certificates with a failed revocation check. It errs on the side of caution to prevent a revoked certificate from being assigned to a service, and thus impacting service.
We’ve received feedback from customers that you would like to be warned about a revocation check failure for a certificate, but still be able to assign the certificate to Exchange services from EMC. We’re considering the change in EMC behavior for a future release.