Troubleshooting CRL issues in a Exchange 2010 Lab


imageHere is the story, I was building a Lab so I could test Domain secure  connections between exchange 2010 Orgs. I issued a cert to both servers from a CA in domain 1, and imported CA root cert to the trusted roots of both servers. Then when I tried to activate services or use MTLS on my connectors I got the following error.

The Certificate Status Could not be determined Because the revocation check failed

Here are the steps I took (with a some help) and got my servers talking and CRL checking working.

  1. Verify that a CRL URL is published
    • Re-issue cert if needed
  2. Verify that the CRL URL can be accessed
  3. Clear the URL cache
    • certutil -urlcache crl delete
    • certutil -urlcache ocsp delete
  4. Check validity of the URLS in the cert
    • certutil -verify -urlfetch C:\foobar2.cer
  5. Clear and Force re-sync of cache
    • certutil -setreg chain\chaincacheresyncfiletime @now
  6. Clear and Force re-sync of cache and don’t use cache for 3 days
    • certutil -setreg chain\chaincacheresyncfiletime @now+3
  7. Installed and configured the 2008 Online Responder on my CA
  8. netsh winhttp set proxy proxy-server="http=myproxy:8080;https=sproxy:8080" bypass-list= "*.foo.com"

 

 

Note: I finally I found that I had an issue with my TMG server when routing across it (even though it was supposed to not be filtered)
I moved my VM to the same networks (i.e. Both on 192.168.10.x) and then I was able to get it working…

Still need to figure out why TMG was breaking it, Conversely I did get it working with ISA 2006 without issue, I will update this post when I figure out the issue with TMG.

 

http://technet.microsoft.com/en-us/library/bb430772.aspx

http://blogs.technet.com/b/pki/archive/2007/09/13/how-to-refresh-the-crl-cache-on-windows-vista.aspx.

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/299c8ebe-223c-43ab-8cbc-c8221991813a

Advertisements

Speed up EMC and Powershell when working on a LAB


  1. Disable CRL Checking (only if you don’t have internet access)
        • Decreasing the amount of time to allow CRL retrieval can significantly improve performance when internet access is poor or non-existent. Setting the value to 200 decimal (milliseconds) may be a reasonable timeout.
    • Name: ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds
      Location: HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
      Type: REG_DWORD
        • Decreasing the amount of time to allow all CRL retrievals can significantly improve performance when internet access is poor or non-existent. Setting the value to 500 (milliseconds) may be a reasonable timeout.
    • You can speed up service start by following this KB
  2. Point to a specific CAS when Starting (Keep in mind you could have issues accessing tools if the specific server is unavailable)
    1. EMC
      1. Right click Microsoft Exchange on-Premise
      2. Click Properties
      3. Specify a CAS server
      4. image
    2. Exchange Powershell
      1. Right Click the Exchange Powershell in the start menu
      2. Click Properties
      3. Replace –auto at the end of the shortcut with the FQDN for a CAS server
      4. image image