E2K10 has more restriction on the certs. If Cert Revocation Check (CRC) fails, you can’t assign it to the services, this means you must make sure you E2K10 server able to communicate with the CA server to complete CRC when generate the SAN cert.
We use an internal MS CA running on W2K3 to service the E2K10 SAN cert, but still fails on CRC. After 2 days troubleshooting, it is realized the CA Web service is running at port 82 instead of the default 80, but its CDP is still at port 80.
The solution is to delete its existing http location (can’t edit), then create a new one with port 82, i.e: http://:82/CertEnroll/…..
Thanks the tip from http://myit4u.wordpress.com/2010/06/29/the-certificate-could-not-be-determined-because-the-revocation-check-failed/
another 2 points for W2K3 CA enroll web service running:
a. the app pool is assigned to “Network service” by default, need to change it to “Local System”
b. “Bypass traverse checking” at least is assigned to “Users”