Exchange – Certificate Invalid ‘Revocation Check Failed’

KB ID 0001121 


When you check the status of a certificate in Exchange and it it displayed at ‘Invalid’ and the details show that the revocation check has failed.


This can happen if your certificate CA has its CRL or OCSP information setup incorrectly, or the Exchange sever simply cannot access them to verify the validity of the certificate. If you are using your own CA the correct way to fix the problem is setup a CRL or an OCSP responder properly.

Windows Certificate Services – Setting up a CRL

Microsoft Certificate Services Configuring OCSP

However there may be some circumstances where you want the certificate to work but don’t have the time/inclination  to fix the CRL/OCSP. I found myself in this situation on my test network. I wanted to use this certificate but it was quicker to ‘hack’ Exchange than to fix the CRL and reissue certificates.

This is more a workaround then  a fix, you can get Exchange to ‘not bother ‘enforcing the revocation check, it will still show as having a revocation error but it wont be flagged as ‘invalid’.

Run the registry editor (regedit) > Navigate to;

>HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

Change the State value to 23e00 (Hexadecimal).

Navigate to;

HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

Change the State value to 23e00 (Hexadecimal).

Navigate to;

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

Change the State value to 23e00 (Hexadecimal).

Reboot the server and now the certificate view will have changed;

Related Articles, References, Credits, or External Links