Exchange – Certificate Invalid ‘Revocation Check Failed’

KB ID 0001121 

Problem

When you check the status of a certificate in Exchange and it it displayed at ‘Invalid’ and the details show that the revocation check has failed.

Solution

This can happen if your certificate CA has its CRL or OCSP information setup incorrectly, or the Exchange sever simply cannot access them to verify the validity of the certificate. If you are using your own CA the correct way to fix the problem is setup a CRL or an OCSP responder properly.

Windows Certificate Services – Setting up a CRL

Microsoft Certificate Services Configuring OCSP

However there may be some circumstances where you want the certificate to work but don’t have the time/inclination  to fix the CRL/OCSP. I found myself in this situation on my test network. I wanted to use this certificate but it was quicker to ‘hack’ Exchange than to fix the CRL and reissue certificates.

This is more a workaround then  a fix, you can get Exchange to ‘not bother ‘enforcing the revocation check, it will still show as having a revocation error but it wont be flagged as ‘invalid’.

Run the registry editor (regedit) > Navigate to;

[box]
>HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
[/box]

Change the State value to 23e00 (Hexadecimal).

Navigate to;

[box]
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
[/box]

Change the State value to 23e00 (Hexadecimal).

Navigate to;

[box]
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
[/box]

Change the State value to 23e00 (Hexadecimal).

Reboot the server and now the certificate view will have changed;

Related Articles, References, Credits, or External Links

NA

5 thoughts on “Exchange – Certificate Invalid ‘Revocation Check Failed’

  1. the certificate still has the same status. I am lookin for how to repair/renew/rekey the certificate

    • What is stupid is you failing to read the…

      “However there may be some circumstances where you want the certificate to work but don’t have the time/inclination  to fix the CRL/OCSP. I found myself in this situation on my test network.”

      If you think I’m going to build, an entire CRL OCSP infrastructure – just to make an error go away on my test network then you sir, are an Idiot.

      I’m not proposing this be done in a production environment.

  2. In your last screenshot, it still shows that the status is failed. Am I to understand that the fix will allow the certificate to be used for Exchange purposes, even though the status is failed?

    • That’s correct – again this is just on a test machine I would not do this on a production exchange server.

Leave a Reply

Your email address will not be published. Required fields are marked *