EMC and certificates with failed revocation checks in Exchange 2010

Published Jul 26 2010 02:01 PM 61.6K Views
Microsoft

Starting with Exchange Server 2007, we added protection for Exchange data paths to Client Access Servers using SSL. SMTP communication between transport servers is also protected using TLS. To ensure this protection is enabled out-of-the-box, Exchange setup creates self-signed certificates and enables SSL and TLS by default. For external communication, we recommend that you procure certificates signed by a Certification Authority (CA) that is trusted by clients.

In Exchange 2010, we introduced new certificate management interfaces in the Exchange Management Console (EMC). Using the new certificate wizards in EMC, you can:

The status of a certificate that’s displayed in EMC is returned by the Get-ExchangeCertificate cmdlet. For CA-signed certificates, the certificate’s revocation status is checked in the Certificate Revocation List (CRL) published by the CA.

If Exchange can’t access the CRL, the certificate status is returned as RevocationCheckFailure by the shell. In EMC this is displayed as The certificate status could not be determined because the revocation check failed.

Screenshot: Status of certificate with revocation check failed
Figure 1: The status of a certificate with a failed certificate revockation check is displayed as 'The certificate status could not be determined because the revocation check failed.'

This can occur due to a number of reasons, for example:

  • Transient network connectivity failure or Internet outage
  • Network or proxy misconfiguration, or a firewall rule preventing Internet access
  • Intentional blocking of Internet connectivity from the server
  • Failure of CRL server
  • Issues with CA certificate

A failure to check certificate revocation status is different from a revoked certificate, where the CRL published by the CA has been checked and the certificate found to be revoked. For revoked certificates, the certificate status is explicitly returned as revoked.

Revoked certificate status in EMC
Figure 2: The status of a revoked certificate is displayed as 'This certificate is invalid for Exchange Server usage.'

Screenshot: Revoked certificate properties
Figure 3: Certificate properties of a revoked certificate indicate the certificate has been revoked

When a certificate fails a revocation check due to any of the above reasons, the EMC prevents you from assigning the certificate to any Exchange service. Note, this does not impact certificates that have already been assigned to Exchange services. The services will continue to function.

If the failure is due to a transient condition, you can retry when the server has Internet connectivity and can access the CRL. If it’s caused by network misconfiguration, you can retry after the issue has been resolved and Internet connectivity restored.

If you need to enable the certificate that’s in the RevocationCheckFailure status, you can use the Enable-ExchangeCertificate cmdlet from the shell. The EMC is more restrictive in how it treats certificates with a failed revocation check. It errs on the side of caution to prevent a revoked certificate from being assigned to a service, and thus impacting service.

We’ve received feedback from customers that you would like to be warned about a revocation check failure for a certificate, but still be able to assign the certificate to Exchange services from EMC. We’re considering the change in EMC behavior for a future release.

Bharat Suneja

10 Comments
Version history
Last update:
‎Jul 01 2019 03:53 PM
Updated by: