Knowledge Base

Problem

After completing the certificate request in exchange 2010 the status section shows

"The certificate status could not be determined because the revocation check failed"

The certificate cannot be assigned to the website.

Cause

This issue occurs because Exchange Server 2010 uses Microsoft Windows HTTP Services (WinHTTP) to manage all HTTP and HTTPS traffic, and WinHTTP does not use the proxy settings that are configured for the Internet browser.

Solution

This issue occurs because Exchange Server 2010 uses Microsoft Windows HTTP Services (WinHTTP) to manage all HTTP and HTTPS traffic, and WinHTTP does not use the proxy settings that are configured for the Internet browser.

Below are the steps recommended by Microsoft to resolve this issue:

Method 1:

To view the WinHTTP proxy settings, at a command prompt, run the following command:

netsh winhttp show proxy

To resolve this issue, you must configure the WinHTTP proxy setting and the server FQDN in the WinHTTP bypass list. 

Note: If you do not configure both the proxy setting and the server FQDN in the WinHTTP bypass list, the Exchange Management Shell and the Exchange Management Console cannot contact the Remote PowerShell.

To resolve this issue, open a command prompt, type the following command, and then press ENTER:

netsh winhttp set proxy proxy-server="http=myproxy" bypass-list="*.host_name.com"

The myproxy placeholder represents the proxy server name, and host_name represents the Exchange Server 2010 host name.

If the proxy settings are correct, and it still doesn't work, try the following commands to clear the OCSP/CRL cache:

certutil -urlcache ocsp delete
certutil -urlcache crl delete

Reboot the server if required.

This solution is obtained from the Microsoft : kb979694

Method 2:

Manually install CRL:

1. Identify who issued the certificate; in this example, the intermediate certificate is “RapidSSL RSA CA 2018”.
2. Locate the intermediate certificate in the certificate store under Intermediate Certification Authorities -> Certificates.
3. Double-click the selected certificate.
4. Go to the Details tab and select CRL Distribution Points.
5. Copy the URL {http://crl3.digicert.com/RapidSSLRSACA2018.crl}.
6. Paste the URL in your browser to download the CRL file.
7. Once downloaded, right click on the CRL file and click Install CRL.
8. Click Place all certificates in the following store, then Browse…
9. Click Show physical stores
10. Then select Intermediate Certificate Authorities and click OK
11. You have now successfully installed the updated CRL for this intermediate. Refresh IIS or Exchange, and the error should no longer appear.

If you would like to check the installation:

1. Click Start > Run > type MMC
2. From the Microsoft Management Console (MMC), click  File > Add/Remove Snap-in
3. From the list of snap-ins, select Certificates
4. Click Add
5. Select Computer Account
6. Click Next
7. Select Local Computer (the computer this console is running on)
8. Click Finish
9. Expand Intermediate Certificate Authorities, and then click on Certificate Revocation List
10. You should see the new CRL in the list
11. Refresh the certificate view in IIS or Exchange, and the error will be gone. 

Note: If the CRL files have been saved on the drive other than “C:”,  ensure you are running the correct/entire path of the crl file location.
The downside of manually downloading a CRL file is that it expires (after its Next Update time interval). You will then need to download the updated CRL and follow the installation steps again.