Exchange – Certificate Invalid ‘Revocation Check Failed’

KB ID 0001121 

Problem

When you check the status of a certificate in Exchange and it it displayed at ‘Invalid’ and the details show that the revocation check has failed.

Solution

This can happen if your certificate CA has its CRL or OCSP information setup incorrectly, or the Exchange sever simply cannot access them to verify the validity of the certificate. If you are using your own CA the correct way to fix the problem is setup a CRL or an OCSP responder properly.

Windows Certificate Services – Setting up a CRL

Microsoft Certificate Services Configuring OCSP

However there may be some circumstances where you want the certificate to work but don’t have the time/inclination  to fix the CRL/OCSP. I found myself in this situation on my test network. I wanted to use this certificate but it was quicker to ‘hack’ Exchange than to fix the CRL and reissue certificates.

This is more a workaround then  a fix, you can get Exchange to ‘not bother ‘enforcing the revocation check, it will still show as having a revocation error but it wont be flagged as ‘invalid’.

Run the registry editor (regedit) > Navigate to;

[box]
>HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
[/box]

Change the State value to 23e00 (Hexadecimal).

Navigate to;

[box]
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
[/box]

Change the State value to 23e00 (Hexadecimal).

Navigate to;

[box]
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
[/box]

Change the State value to 23e00 (Hexadecimal).

Reboot the server and now the certificate view will have changed;

Related Articles, References, Credits, or External Links

NA

Exchange – ‘The certificate status could not be determined because the revocation check failed.’

KB ID 0000484 

Problem

Seen on Exchange (with or without service packs) when you access the internet through a proxy server. Note: Exchange does NOT take its proxy settings from Internet Explorer.

Solution

1. To prove that the proxy is the problem drop to command line and issue the following command:

[box]netsh winhttp show proxy[/box]

 

If it says “Direct Access (no proxy server)” and you have a proxy server then that’s your problem.

2. Issue the following command:

[box]netsh winhttp set proxy proxy-server=”http={proxy IP}:{port};https={proxy ip}:{port}” bypass-list=”*.YourDomain.com”[/box]

3. Note: If at this point it all goes wrong (If you get it wrong, then the Exchange Management Console wont open! test it to make sure). To revert back to “no proxy”, issue the following command:

[box]netsh winhttp set proxy proxy-server=”http={proxy IP}:{port};https={proxy ip}:{port}” bypass-list=”*.YourDomain.com”[/box]

You only do this if it’s broken something!!

4. All being well your certificates should now display correctly.

 

Related Articles, References, Credits, or External Links

NA