Thursday, July 29, 2010

Exchange 2010 3rd Party Certificate Issue “certificate status could not be determined because the revocation check failed”

 

 

PROBLEM:

After installing a 3rd party certificate on the Client Access Server(s) you receive the following status for the certificate

“The certificate status could not be determined because the revocation check failed”

 

SOLUTION:

Exchange uses WinHTTP to determine the validity of a certificate.  WinHTTP seems to use Web Proxy Auto-Discover Protocol (WPAD), so if you have a Proxy Access Control (PAC) file being specified through DHCP or DNS, it's going to pick that up and use it, regardless of what you have set up in IE for your proxy.
If you are not using a PAC file, it's possible that WinHTTP is not configured at all with proxy settings.
To determine which settings are currently in use by your Exchange server, log into it, start up an admin console and run the following command:


netsh winhttp show proxy


This should give us the current proxy info being used by Exchange.  If it's not showing the right server, you may want to try changing it using the next command:


netsh winhttp set proxy proxy-server="http=myproxy:88;https=sproxy:88" bypass-list= "*.foo.com"


Replace myproxy and sproxy with the name or IP of your own proxy server, and be sure to specify ports.  The bypass section is optional.

Command Reference:http://www.dbits.be/index.php/pc-problems/65-vistaproxycfg

NOTE: If you can't seem to get the command to run, and keep getting a message that says "command was not found: netsh winhttp set proxy-server", you may want to copy the command above directly into the command prompt and edit it from there.  I have tried this on 3 computers, and somehow can't get it to work if I type it in, but it works fine if I paste it in, then edit it.

Close, then re-open the Exchange Management Console and check the status of the certificate.

If the proxy settings are correct, and it still doesn't work, try the following commands to clear the OCSP/CRL cache:

certutil -urlcache ocsp delete

certutil -urlcache crl delete

Next, reboot your server, and open the Exchange Management Console back up to check the status of the certificate again.

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)