E2K10 Pilot Notes – Cert Revocation Check failure

E2K10 has more restriction on the certs. If Cert Revocation Check (CRC) fails, you can’t assign it to the services, this means you must make sure you E2K10 server able to communicate with the CA server to complete CRC when generate the SAN cert.
CRC Error
We use an internal MS CA running on W2K3 to service the E2K10 SAN cert, but still fails on CRC. After 2 days troubleshooting, it is realized the CA Web service is running at port 82 instead of the default 80, but its CDP is still at port 80.
The solution is to delete its existing http location (can’t edit), then create a new one with port 82, i.e: http://:82/CertEnroll/…..
Thanks the tip from http://myit4u.wordpress.com/2010/06/29/the-certificate-could-not-be-determined-because-the-revocation-check-failed/


another 2 points for W2K3 CA enroll web service running:
a. the app pool is assigned to “Network service” by default, need to change it to “Local System”
b. “Bypass traverse checking” at least is assigned to “Users”

This entry was posted in Exchange 2010, MS Exchange. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s