E2K10 Pilot Notes – Cert Revocation Check failure


E2K10 has more restriction on the certs. If Cert Revocation Check (CRC) fails, you can’t assign it to the services, this means you must make sure you E2K10 server able to communicate with the CA server to complete CRC when generate the SAN cert.
CRC Error
We use an internal MS CA running on W2K3 to service the E2K10 SAN cert, but still fails on CRC. After 2 days troubleshooting, it is realized the CA Web service is running at port 82 instead of the default 80, but its CDP is still at port 80.
CDP-http
The solution is to delete its existing http location (can’t edit), then create a new one with port 82, i.e: http://:82/CertEnroll/…..
Thanks the tip from http://myit4u.wordpress.com/2010/06/29/the-certificate-could-not-be-determined-because-the-revocation-check-failed/

Reference:
http://exchangeserverpro.com/exchange-2010-certificate-revocation-checks-and-proxy-settings
http://exchangeserverpro.com/exchange-server-2010-certificate-invalid-for-exchange-server-usage-error
http://exchangeserverpro.com/how-to-issue-a-san-certificate-to-exchange-server-2010-from-a-private-certificate-authority

another 2 points for W2K3 CA enroll web service running:
a. the app pool is assigned to “Network service” by default, need to change it to “Local System”
b. “Bypass traverse checking” at least is assigned to “Users”

Advertisements
This entry was posted in Exchange 2010, MS Exchange. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s