Knowledge Base

Question:
After I have imported a Sectigo certificate through the Exchange Management Console (EMC), I am unable to assign it any services due to the error message of: 'The certificate status could not be determined because the revocation check failed.'

Answer:
This can be caused by any number of different reasons:

 

• Lack of network connectivity or Internet Outage

 

• Network or proxy misconfiguration: See MS KB ID 979694

 

• Intentional blocking of Internet connectiopn from the server.

 

• CRL/OCSP issues with the CA.

 

• Stale or out of date CRL information.

 

• Missing or incomplete CA certificate(s) on server.

Troubleshooting steps:

 

• Verify that all certificates in the hierarchy are installed.

 

• Verify network & Internet connectivity.

 

• Verify connectivty to the CRL and OCSP URLs for all certificates in the certificate's hiearchy. (using a browser)

 

• Ensure that appropriate proxy settings are being used by Exchange. (Recommended, works 99.999% of the time) See MS KB ID 979694. Useful if you're using MS ISA or TMG!!

 

• Refresh CRL cache. See How to refresh the CRL cache on Windows (Windows PKI Blog)

If all else fails, use the 'Enable-ExchangeCertificate' cmdlet to enable the services for your certificate as this less restrictive than the EMC. See Assigning/Enable additional services on an existing certificate (Sectigo Support) for more information on how to do this.
 

Sources:

 

• Error message when you import a third-party certificate into Exchange Server 2010: 'The certificate status could not be determined because the revocation check failed' (Microsoft Support)

 

• EMC and certificates with failed revocation checks in Exchange 2010 (Exchange Team Blog)

 

• How to refresh the CRL cache on Windows Vista (Windows PKI Blog)