Here is the story, I was building a Lab so I could test Domain secure connections between exchange 2010 Orgs. I issued a cert to both servers from a CA in domain 1, and imported CA root cert to the trusted roots of both servers. Then when I tried to activate services or use MTLS on my connectors I got the following error.
The Certificate Status Could not be determined Because the revocation check failed
Here are the steps I took (with a some help) and got my servers talking and CRL checking working.
- Verify that a CRL URL is published
- Re-issue cert if needed
- Verify that the CRL URL can be accessed
- Clear the URL cache
- certutil -urlcache crl delete
- certutil -urlcache ocsp delete
- Check validity of the URLS in the cert
- certutil -verify -urlfetch C:\foobar2.cer
- Clear and Force re-sync of cache
- certutil -setreg chain\chaincacheresyncfiletime @now
- Clear and Force re-sync of cache and don’t use cache for 3 days
- certutil -setreg chain\chaincacheresyncfiletime @now+3
- Installed and configured the 2008 Online Responder on my CA
- netsh winhttp set proxy proxy-server="http=myproxy:8080;https=sproxy:8080" bypass-list= "*.foo.com"
Note: I finally I found that I had an issue with my TMG server when routing across it (even though it was supposed to not be filtered)
I moved my VM to the same networks (i.e. Both on 192.168.10.x) and then I was able to get it working…
Still need to figure out why TMG was breaking it, Conversely I did get it working with ISA 2006 without issue, I will update this post when I figure out the issue with TMG.
http://technet.microsoft.com/en-us/library/bb430772.aspx
http://blogs.technet.com/b/pki/archive/2007/09/13/how-to-refresh-the-crl-cache-on-windows-vista.aspx.
Pingback: Troubleshooting Exchange « JC’s Blog-O-Gibberish
I found in our case we needed to use an IP address vs a hostname, had to state the port as it was not a standard one, had to include a bypass for the domain the server was in,
netsh winhttp set proxy proxy-server=”http=192.168.0.1:8090;https=192.168.0.1:8090″ bypass-list=”*.mydomain.co.nz”
…after that we “refreshed” and CRL error disappeared and the certificate red x changed to a tick inidcating no issues.
We also had an invalid CRL URL in the Thawte certificate but thats another story we managed to sort with a host file entry pointing at the IP address of the correct server.