Knowledge Base

Problem

After completing the certificate request in exchange 2010 the status section shows

"The certificate status could not be determined because the revocation check failed"

The certificate cannot be assigned to the website.

Cause

This issue occurs because Exchange Server 2010 uses Microsoft Windows HTTP Services (WinHTTP) to manage all HTTP and HTTPS traffic, and WinHTTP does not use the proxy settings that are configured for the Internet browser.

Solution

This issue occurs because Exchange Server 2010 uses Microsoft Windows HTTP Services (WinHTTP) to manage all HTTP and HTTPS traffic, and WinHTTP does not use the proxy settings that are configured for the Internet browser.

Below are the steps recommended by Microsoft to resolve this issue:

Method 1:

To view the WinHTTP proxy settings, at a command prompt, run the following command:

netsh winhttp show proxy

To resolve this issue, you must configure the WinHTTP proxy setting and the server FQDN in the WinHTTP bypass list. 

Note: If you do not configure both the proxy setting and the server FQDN in the WinHTTP bypass list, the Exchange Management Shell and the Exchange Management Console cannot contact the Remote PowerShell.

To resolve this issue, open a command prompt, type the following command, and then press ENTER:

netsh winhttp set proxy proxy-server="http=myproxy" bypass-list="*.host_name.com"

The myproxy placeholder represents the proxy server name, and host_name represents the Exchange Server 2010 host name.

If the proxy settings are correct, and it still doesn't work, try the following commands to clear the OCSP/CRL cache:

certutil -urlcache ocsp delete
certutil -urlcache crl delete

Reboot the server if required.

This solution is obtained from the Microsoft : kb979694

Method 2:

Try  to access the CRL distribution URL information for the certificate/certificate chain:

1. Open to IIS Manager
2. Expand the Server Name
3. Expand Sites--> Expand default Web Site
4. Highlight/select 'default Web Site'
5. Click on Bindings under Action Pane Select https--> Click on Edit
6. Click on View (You will get a Certificate properties binded to DWS)
7. Click on Certification path.
8. Click on each certificate chain/node
9. Select View certificate
10. Go to Details tab Select " CRL Distribution point" url and download the crl file
11. Repeat the steps 06-11 for each certificate node/leaf/chain.
12. Download the CRL file( .crl format)  for root and intermediate certificate from a machine having access to internet  or from the Exchange server and copy to a folder on  Exchange Server.
13. Import the CRL file under " Trusted Root Certification Authority" or in Certificate Revocation list under  Intermediate certification Authority or both using these cmdlets:
    
    certutil -addstore CA "CRLName" and  certutil -addstore Root <CRLName>
    
    Example: certutil -addstore CA crl4.digicert.com
    
    
14. Now please check if the certificate status is showing as Valid and able to enable certificate for exchange services.

Note: If the CRL files have been saved on the drive other than “C:” then make sure that you are running providing the correct/entire path of the crl file location.
The downside of manually downloading a CRL file is:  it expires (after its Next Update time interval), then you  will have to again download the  updated CRL