Here is the story, I was building a Lab so I could test Domain secure connections between exchange 2010 Orgs. I issued a cert to both servers from a CA in domain 1, and imported CA root cert to the trusted roots of both servers. Then when I tried to activate services or use MTLS on my connectors I got the following error.
The Certificate Status Could not be determined Because the revocation check failed
Here are the steps I took (with a some help) and got my servers talking and CRL checking working.
Verify that the CRL URL can be accessed
Clear the URL cache
- Verify that a CRL URL is published
Check validity of the URLS in the cert
- certutil -urlcache crl delete
- certutil -urlcache ocsp delete
Clear and Force re-sync of cache
- certutil -verify -urlfetch C:\foobar2.cer
Clear and Force re-sync of cache and don’t use cache for 3 days
- certutil -setreg chain\chaincacheresyncfiletime @now
Installed and configured the 2008 Online Responder on my CA
netsh winhttp set proxy proxy-server="http=myproxy:8080;https=sproxy:8080" bypass-list= "*.foo.com"
- certutil -setreg chain\chaincacheresyncfiletime @now+3
Note: I finally I found that I had an issue with my TMG server when routing across it (even though it was supposed to not be filtered)
I moved my VM to the same networks (i.e. Both on 192.168.10.x) and then I was able to get it working…
Still need to figure out why TMG was breaking it, Conversely I did get it working with ISA 2006 without issue, I will update this post when I figure out the issue with TMG.
- Disable CRL Checking (only if you don’t have internet access)
Point to a specific CAS when Starting (Keep in mind you could have issues accessing tools if the specific server is unavailable)
- Decreasing the amount of time to allow CRL retrieval can significantly improve performance when internet access is poor or non-existent. Setting the value to 200 decimal (milliseconds) may be a reasonable timeout.
- Name: ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds
Location: HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
- Decreasing the amount of time to allow all CRL retrievals can significantly improve performance when internet access is poor or non-existent. Setting the value to 500 (milliseconds) may be a reasonable timeout.
- You can speed up service start by following this KB
- Right click Microsoft Exchange on-Premise
- Click Properties
- Specify a CAS server
- Exchange Powershell
- Right Click the Exchange Powershell in the start menu
- Click Properties
- Replace –auto at the end of the shortcut with the FQDN for a CAS server