Exchange – Certificate Invalid ‘Revocation Check Failed’

KB ID 0001121 

Problem

When you check the status of a certificate in Exchange and it it displayed at ‘Invalid’ and the details show that the revocation check has failed.

Revocation Check Failed

Solution

This can happen if your certificate CA has its CRL or OCSP information setup incorrectly, or the Exchange sever simply cannot access them to verify the validity of the certificate. If you are using your own CA the correct way to fix the problem is setup a CRL or an OCSP responder properly.

Windows Certificate Services – Setting up a CRL

Microsoft Certificate Services Configuring OCSP

However there may be some circumstances where you want the certificate to work but don’t have the time/inclination  to fix the CRL/OCSP. I found myself in this situation on my test network. I wanted to use this certificate but it was quicker to ‘hack’ Exchange than to fix the CRL and reissue certificates.

This is more a workaround then  a fix, you can get Exchange to ‘not bother ‘enforcing the revocation check, it will still show as having a revocation error but it wont be flagged as ‘invalid’.

Run the registry editor (regedit) > Navigate to;

>HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

Change the State value to 23e00 (Hexadecimal).

Ignore revocation check

Navigate to;

HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

Change the State value to 23e00 (Hexadecimal).

bypass revocation check

Navigate to;

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

Change the State value to 23e00 (Hexadecimal).

disable certificate revocation check

Reboot the server and now the certificate view will have changed;

Revocation Check Failed Exchange

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

3 Comments

  1. the certificate still has the same status. I am lookin for how to repair/renew/rekey the certificate

    Post a Reply
  2. that was the most stupid way to solve the problem

    Post a Reply
    • What is stupid is you failing to read the…

      “However there may be some circumstances where you want the certificate to work but don’t have the time/inclination  to fix the CRL/OCSP. I found myself in this situation on my test network.”

      If you think I’m going to build, an entire CRL OCSP infrastructure – just to make an error go away on my test network then you sir, are an Idiot.

      I’m not proposing this be done in a production environment.

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *