Troubleshooting CRL issues in a Exchange 2010 Lab

imageHere is the story, I was building a Lab so I could test Domain secure  connections between exchange 2010 Orgs. I issued a cert to both servers from a CA in domain 1, and imported CA root cert to the trusted roots of both servers. Then when I tried to activate services or use MTLS on my connectors I got the following error.

The Certificate Status Could not be determined Because the revocation check failed

Here are the steps I took (with a some help) and got my servers talking and CRL checking working.

  1. Verify that a CRL URL is published
    • Re-issue cert if needed
  2. Verify that the CRL URL can be accessed
  3. Clear the URL cache
    • certutil -urlcache crl delete
    • certutil -urlcache ocsp delete
  4. Check validity of the URLS in the cert
    • certutil -verify -urlfetch C:\foobar2.cer
  5. Clear and Force re-sync of cache
    • certutil -setreg chain\chaincacheresyncfiletime @now
  6. Clear and Force re-sync of cache and don’t use cache for 3 days
    • certutil -setreg chain\chaincacheresyncfiletime @now+3
  7. Installed and configured the 2008 Online Responder on my CA
  8. netsh winhttp set proxy proxy-server="http=myproxy:8080;https=sproxy:8080" bypass-list= "*"



Note: I finally I found that I had an issue with my TMG server when routing across it (even though it was supposed to not be filtered)
I moved my VM to the same networks (i.e. Both on 192.168.10.x) and then I was able to get it working…

Still need to figure out why TMG was breaking it, Conversely I did get it working with ISA 2006 without issue, I will update this post when I figure out the issue with TMG.


2 thoughts on “Troubleshooting CRL issues in a Exchange 2010 Lab

  1. Pingback: Troubleshooting Exchange « JC’s Blog-O-Gibberish

  2. I found in our case we needed to use an IP address vs a hostname, had to state the port as it was not a standard one, had to include a bypass for the domain the server was in,

    netsh winhttp set proxy proxy-server=”http=;https=″ bypass-list=”*”

    …after that we “refreshed” and CRL error disappeared and the certificate red x changed to a tick inidcating no issues.

    We also had an invalid CRL URL in the Thawte certificate but thats another story we managed to sort with a host file entry pointing at the IP address of the correct server.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s