EMC and certificates with failed revocation checks in Exchange 2010
Published 07/26 courtesy of MS Exchange Team
Starting with Exchange Server 2007, we added protection for Exchange data paths to Client Access Servers using SSL. SMTP communication between transport servers is also protected using TLS. To ensure this protection is enabled out-of-the-box, Exchange setup creates self-signed certificates and enables SSL and TLS by default. For external communication, we recommend that you procure certificates signed by a Certification Authority (CA) that is trusted by clients.
In Exchange 2010, we introduced new certificate management interfaces in the Exchange Management Console (EMC). Using the new certificate wizards in EMC, you can:
- Generate certificate signing request (CSR) to request a certificate signed by a CA
- Complete the pending certificate request when you receive a certificate signed by the CA
- Assign Exchange services to the certificate.
- Renew certificates
- Export a certificate with its private key (the private key must be marked as exportable when creating the certificate, the default for certificate signing requests generated by using the EMC).
- Import certificates with a private key
- View certificate properties
The status of a certificate that’s displayed in EMC is returned by the Get-ExchangeCertificate cmdlet. For CA-signed certificates, the certificate’s revocation status is checked in the Certificate Revocation List (CRL) published by the CA.
If Exchange can’t access the CRL, the certificate status is returned as RevocationCheckFailure by the shell. In EMC this is displayed as The certificate status could not be determined because the revocation check failed.
Figure 1: The status of a certificate with a failed certificate revockation check is displayed as The certificate status could not be determined because the revocation check failed.
This can occur due to a number of reasons, for example:
- Transient network connectivity failure or Internet outage
- Network or proxy misconfiguration, or a firewall rule preventing Internet access
- Intentional blocking of Internet connectivity from the server
- Failure of CRL server
A failure to check certificate revocation status is different from a revoked certificate, where the CRL published by the CA has been checked and the certificate found to be revoked. For revoked certificates, the certificate status is explicitly returned as revoked.
Figure 2: The status of a revoked certificate is displayed as This certificate is invalid for Exchange Server usage.
Figure 3: Certificate properties of a revoked certificate indicate the certificate has been revoked
When a certificate fails a revocation check due to any of the above reasons, the EMC prevents you from assigning the certificate to any Exchange service. Note, this does not impact certificates that have already been assigned to Exchange services. The services will continue to function.
If the failure is due to a transient condition, you can retry when the server has Internet connectivity and can access the CRL. If it’s caused by network misconfiguration, you can retry after the issue has been resolved and Internet connectivity restored.
If you need to enable the certificate that’s in the RevocationCheckFailure status, you can use the Enable-ExchangeCertificate cmdlet from the shell. The EMC is more restrictive in how it treats certificates with a failed revocation check. It errs on the side of caution to prevent a revoked certificate from being assigned to a service, and thus impacting service.
We’ve received feedback from customers that you would like to be warned about a revocation check failure for a certificate, but still be able to assign the certificate to Exchange services from EMC. We’re considering the change in EMC behavior for a future release.
Recent SharePoint Questions
- BIS and Exchange
- Exchange 2007 MAPI log
- Forwarding e-mail
- Accessing my work email from home?
- What’s on the horizon?
- What’s been the assessment of Exchange by industry analysts?
- What was added to Exchange Server 2007 that made it different from its predecessors?
- What was added to Exchange Server 2003 that made it different from its predecessors?
- What versions of Exchange are being used today?
- When does it make sense to only provide Web access to Exchange?
more sharepoint questions
More Articles By
Uncovering the new RPC Client Access Service in Exchange 2010 (Part 3)
The new RPC Client Access service included with Exchange 2010. Read more
Exchange ActiveSync and iPhone OS 3.1
Many Exchange Server customers have reported issues logging on to Exchange using iPhone devices older than iPhone 3GS. iPhones support Exchange ActiveSync (EAS), the same protocol supported by Windows Mobile…
AppRiver Exchange Hosting - Voted MSExchange.org Readers Choice Award Winner - Exchange Hosting
AppRiver Exchange Hosting was selected the winner in the Exchange Hosting Category of the MSExchange.org Readers Choice Awards. Intermedia Hosted Exchange and Apptix Exchange Hosting were first runner-up and second…
More Articles Under "Blogs"
The Elusive Kingston SSDNow 40 Gb Solid State Drive
Ive been waiting for the Kingston SSDNow V Series 40 Gb solid state drive (SNV125-S2/40GB).NewEgg.coms ShellShocker deal of the day— $84.99 (after a 20 dollar rebate), and free shipping. Unfortunately,…
Exchange Server 2010 Released
Microsoft announced the release of Exchange Server 2010 today at Microsoft TechEd 2009 in Berlin. The release marks the first version of Exchange Server designed for the cloud, and provides…
Windows 2008 R2 Support Coming for Exchange 2007
Exchange 2007 will be supported on Windows Server 2008 R2, Kevin Allison, GM Exchange Customer Experience, posted on the Exchange team blog today. With the general availability of Exchange 2010…
Most Viewed Content
- Uncovering the new RPC Client Access Service in Exchange 2010…
- Exchange ActiveSync and iPhone OS 3.1
- AppRiver Exchange Hosting - Voted MSExchange.org Readers Choice Award Winner…
- Address Lists in Exchange 2007 (Part 4)
- SmarterTools and Microsoft Patent Licensing Agreement Extends Exchange ActiveSync Reach…
