Normally, only client devices need to check if a Certificate Authority has revoked an SSL Certificate. Clients make this check so that they can warn users about trusting a website, an email server, or a device.
Certificate Authorities (CAs) are required to keep track of the SSL Certificates they revoke. After the Certificate Authority (CA) revokes an SSL Certificate, the CA takes the serial number of the certificate and adds it to its certificate revocation list (CRL). The URL to the Certificate Authority’s certificate revocation list is contained in each SSL Certificate in the CRL Distribution Points field.
To check the revocation status of an SSL Certificate, the client connects to the URLs and downloads the CA's CRLs. Then, the client searches through the CRL for the serial number of the certificate to make sure that it hasn't been revoked.
You can see the URLs for an SSL Certificate’s CRLs by opening an SSL Certificate. Then, in the certificate's Details in the Certificate Extensions, select CRL Distribution Points to see the issuing CA's URLs for their CRLs.
For example, in Chrome:
Online Certificate Status Protocol (OCSP) has largely replaced the use of CRLs to check SSL Certificate revocation. Instead of downloading a potentially large list of revoked certificates in a CRL, a client can simply query the issuing CA's OCSP server using the certificate's serial number and receive a response indicating if the certificate is revoked or not.
You can see the URLs used to connect to a CA's OCSP server by opening up a certificate. Then, in the certificates Details in the Certificate Extensions, select Authority Information Access to see the issuing CA's URL for their OCSP.
For information about using OCSP stapling to enhance the OCSP protocol, see Enable OCSP Stapling on Your Server.
For example, in Internet Explorer:
"The certificate status could not be determined because the revocation check failed."
Microsoft Exchange 2010 was designed to check a certificate's revocation status, to prevent administrators from inadvertently configuring Exchange to use a revoked SSL certificate. However, Exchange 2010 doesn't allow you to assign an SSL Certificate in the Exchange Management Console until verifying that it has not been revoked by the Certification Authority (CA) that issued it.
This process sometimes causes problems. When the server can't make a connection with a CA to check a certificate's revocation status, an error message is displayed: "The certificate status could not be determined because the revocation check failed". This error is misleading because it makes the problem sound as if the certificate has been revoked. In most cases, it is a connection problem, not a certificate revocation issue.
The connection issue can be caused by the WinHTTP proxy settings or by the firewall settings preventing the Exchange server from connecting to the CRL or OCSP URLs to perform the revocation checks. To troubleshoot this error, you can use the DigiCert® Certificate Utility for Windows to verify whether your server can reach the CRL or OCSP URLs.
When testing server access, if your proxy server connection is not through WinHTTP, the DigiCert Certificate Utility may not be able to automatically detect the proxy settings for the server.