<div>
Possible the CRL (Certificate revocation list) configuration is wrong on the new certificate server, or in AD. 
The means the comptures look for the old server to find out of the cert has been revoked. 
Depending on how you moved the CA to a new server you might find that the CRL has staed pointing to the old server. 
Some links that might help 
<a href="http://www.petenetlive.com/KB/Article/0000473.htm" rel="ugc">http://www.petenetlive.com/KB/Article/0000473.htm</a> 
<a href="http://www.windowsitpro.com/article/tips/moving-a-certificate-authority-ca-to-another-dc-" rel="ugc">http://www.windowsitpro.com/article/tips/moving-a-certificate-authority-ca-to-another-dc-</a> 
<a href="http://support.microsoft.com/kb/298138" rel="ugc">http://support.microsoft.com/kb/298138</a>
</div>

<div>
<a href="http://technet.microsoft.com/en-us/library/cc773036(v=ws.10)" rel="ugc">http://technet.microsoft.com/en-us/library/cc773036(v=ws.10)</a>
</div>

<div>
@carolchi: 
I don`t have the event id (6,13) mentioned in the first articlie. 
In the CA-list I have 3 certificationAuthoities. 
 
1. CA 
2. example 
3. example CA 
 
Problem is that I know that &quot;example CA&quot; is the correct one but I don`t know whether I can delete the other ones. 
 
And I really don`t know whether this is the problem. 
 
Which consequences are there when I have this error message?
</div>

<div>
No real consequances until you have a browser or a program which refuses to accept a certificate without a CRL. 
 
But since CRLs are often missing and are very big to download, most browsers don't check for them. 
<a href="http://blog.spiderlabs.com/2011/04/certificate-revocation-behavior-in-modern-browsers.html" rel="ugc">http://blog.spiderlabs.com/2011/04/certificate-revocation-behavior-in-modern-browsers.html</a> 
 
It can cause problems if you are trying to do NAP or authentication on your LAN or VPN using certificates, because AD is much fussier than a broswer.
</div>

<div>
OK, 
 
ven if I trie to create a new certificate in exchange. There is the same error. 
In the old certificate the is a revocation distribution point declared which points to the old CA-server which is offline now. 
After I added a new certificate int this certifcate there was a revocation-distribution point which points to the new server. 
 
Maybe I should try setting the proxy WinHTTP proxy server? Does it make sense to set this proxy server although there is no proxy needed to connect this url?
</div>

<div>
Look in server manager on your CA. 
Go to the Active Directory CA role 
Look at Enterprise PKI 
 
This will tell you if you have a problem with your CA and revocation lists. 
If that is all OK, then perhaps start messing around with the proxy, but in my experience you ahve to get the Enterprise PKI sorted out first.
</div>

<div>
Thanks for the hint. 
I now foubnd that under &quot;Coorporation CA&quot; there is an error entry: 
 
AIA-Location #1 (ldap:///xxx.xxx.xxx...) Download not possible 
The http-locations seem to be allright. 
 
Do you know what I could do?
</div>

<div>
You will have to fix this, it could be path or permissions: 
 
<a href="http://technet.microsoft.com/en-us/library/cc776904(v=ws.10).aspx" rel="ugc">http://technet.microsoft.com/en-us/library/cc776904(v=ws.10).aspx</a> 
 
<a href="http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/0c8649eb-eda9-4cf5-942a-ff6308dd9ce2/" rel="ugc nofollow">http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/0c8649eb-eda9-4cf5-942a-ff6308dd9ce2/</a>
</div>

<div>
OK, 
I only find threads where people have <a href="http://" rel="ugc nofollow">http://</a>&nbsp;distribution points which are not working properly. I have an ldap:/// distribution point for AIA#1 which is not working. 
 
So what should I do? 
Should I delete thsi ldap:/// distribution point and then create a new certificate for the exchange server? 
 
I`m a bit confused about that because in coorpration-pki menu in the server manager there is an error.
</div>

<div>
You have to edit the ldap:// distribution point so it points to the correct server. 
It can also have incorrect permissions (look in the CA) 
It can also not exist at all. 
 
this thread contains all the disagnostic tools 
<a href="http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/3c28feb6-6ff6-4917-bbbf-ef67ade068a5/" rel="ugc nofollow">http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/3c28feb6-6ff6-4917-bbbf-ef67ade068a5/</a> 
 
This one has the correct paths for ldap 
<a href="http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/283e1133-2d1e-4824-9d03-5b93c2cc1590/" rel="ugc nofollow">http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/283e1133-2d1e-4824-9d03-5b93c2cc1590/</a> 
 
<a href="https://www.experts-exchange.com/questions/26754486/Internal-Certificate-Authority-AIA-location-error-unable-to-download-from-LDAP-location.html" rel="ugc">https://www.experts-exchange.com/questions/26754486/Internal-Certificate-Authority-AIA-location-error-unable-to-download-from-LDAP-location.html</a> 
 
You may want to delete the entry, but I think it is used for AD authentication. 
You want to check in the file systen that the file is actually created, and in
</div>

<div>
has the AIA Distribution point something to do with the CRLs? 
Alle my CRL distribution points are OK right now but in exchange there still is the error message that that the CRL could not be accessed. 
 
And as mentioned. When I look into the certificate in exchange which is failing as CRl distribution point there is an LDAP and http-address of the old server which not online anymore.
</div>

<div>
They are all interlinked and it seems to me a sort of belt and braces set of solutions to the problems that CRLs are too big, and too slow, so everyone ignores them. 
I'm hoping Windows 2012 consilodates this but since they are &quot;standards&quot; which are not effective or functional Microsoft can't do it alone. 
 
You can edit to ldap address to point to a new server or delete is completely. 
 
When I was doing this a coupld of months ago (same reason - CA moved) I worked through the diagnostics, slogged away with ADSIEdit and got it all sorted. But it was not an easy process, as the different methods all overlap, and there is no coherent centreal store. 
 
At least you have the Enterprise PKI monitr which keeps telling you what is wrong.
</div>

<div>
No news, same state. 
I made some changed on the extensions: 
 

<pre><code class="code-10 nolinks" id="code-20-38147948-1">CertUtil: -getreg-Befehl wurde erfolgreich ausgeführt.

C:\Users\administrator.EXAMPLE&gt;certutil -getreg ca\CRLPublicationURLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\example GmbH CA\CRLPublicationURLs:

 CRLPublicationURLs REG_MULTI_SZ =
 0: 65:C:\WINDOWS\system32\CertSrv\CertEnroll\%3%8%9.crl
 CSURL_SERVERPUBLISH -- 1
 CSURL_SERVERPUBLISHDELTA -- 40 (64)

 1: 79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
 CSURL_SERVERPUBLISH -- 1
 CSURL_ADDTOCERTCDP -- 2
 CSURL_ADDTOFRESHESTCRL -- 4
 CSURL_ADDTOCRLCDP -- 8
 CSURL_SERVERPUBLISHDELTA -- 40 (64)

 2: 0:file://\\%1\CertEnroll\%3%8%9.crl

 3: 6:http://%1/CertEnroll/%3%8%9.crl
 CSURL_ADDTOCERTCDP -- 2
 CSURL_ADDTOFRESHESTCRL -- 4
</code></pre>
 
The URLs are working, I tested them via browser and LDAP-Browser. 
 
In Enterprise-PKI Status of all Locations (CRL, DeltaCRL) is OK. Only AIA-Location #1 (ldap): unable to download. For this I even´can`t find a solution. 
 
I took all the steps to move the CA to another server including registry and privileges. 
 
And we don`t have other problems with certificates except Exchange-webserver. 
 
I tried to set the WinHTTP-Proxy an the exchange-server. This didn`t help. I found contradictory entries regarding that. 
One said: For WinHTTP canges to take efect there has to be the Exchange Transport Service restart. 
Antother thread told nothing about that. 
 
At the moment I`m not abl to restart that service but I don`t think it is the issue because the proxy has always been in te network and the exchange has always used direct connection and the CRL lookup worked. 
 
I think the lookup doesn`t work since the old CA is offline. 
 
 
Any further suggestions?
</div>

<div>
I don't think it's a proxy problem. I think you could make a note of the AIA location and delete it. 
Then you must recreate the certificate, as the certificate &quot;knows&quot; the AIA location from when it was created. 
Then you must recyle and reset the web apps and web sites to to make sure the oll AIA entry is really gone. 
If you are them OK, you canleave it with no LDAP AIA, or you can recreate it for the new server.
</div>

<div>
Hi, 
 
I understand first steps. 
Bit what do you mean by following: 
 

<blockquote>
 
Then you must recyle and reset the web apps and web sites to to make sure the oll AIA entry is really gone. 
If you are them OK, you canleave it with no LDAP AIA, or you can recreate it for the new server 

</blockquote>
Which certificate must be new? The exchange-certificate? 
Which web aps must be recycled und reset? And on wich server? 
 
Thanks a lot!
</div>

<div>
In your CA you can choose to include the paths for the CRL, AIA etc in the certificate. 
The default is included. So certificates made on your CA &quot;know&quot; the path to the CA. 
 
Even after you fix the AIA problem on the CA / Download, your already issued certificates may still be looking for the old CA. 
So you have make new certificates on the corrected CA with the correct paths. 
 
The Exchange certificate is bound to the webservices and to the app pool on the IIS on your Exchange server. When you change the certificate you have to do an IIS reset. But sometimes it is also a good idea to recycle the app pool to be very sure that no paths to old or invalid AIA download locations are left anywhere in IIS.
</div>

<div>
Hi, 
 
now I removed the AIA-location &quot;ldap&quot;. in enterprise-PKI there is now error anymore because he failing ldap has been deleted. 
As soon as I try to re-create this location there is an error again. 
Is it allright to have an error in ldap-AIA-loactions? And is it OK to delete this entry? 
 
In exchange there is still no possibilty given to create a new certifictate. 
I have note reset the iis yet because I don`t know what will happen (Otlook connection reset etc. ??) when I restart the IIS on exchange server. 
But in the actual state, where my Enteprise PKI doesn`t show an error anymore: Why can`t I create a new certificate which is working? Why is there still the message taht CRL could not be found in exchange allthough there is no error anymore? 
 
Do I really have to restart IIS to get a new wrking certificate? 
can I do an IIS-Reset whithout losing any connection on user-side? 
 
Thanks a lot!
</div>

<div>
OK so now your CA is OK, but the certificate on the Exchange server is not OK. 
 
The old certificate is looking for some AIA or CRL that existed when the certificate was created. 
 
You must now make a new certificate for your Exchange server from the CA which is working. 
 
<a href="http://blogs.microsoft.co.il/blogs/eldadc/archive/2009/07/15/how-to-configure-exchange-2010-certificate.aspx" rel="ugc">http://blogs.microsoft.co.il/blogs/eldadc/archive/2009/07/15/how-to-configure-exchange-2010-certificate.aspx</a> 
<a href="http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/managing-certificates-exchange-server-2010-part1.html" rel="ugc">http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/managing-certificates-exchange-server-2010-part1.html</a>
</div>

<div>
As a I already said. I tried to make a new certificate but after importing the .cert-File in exchange there still is the message that CRL could not be downloaded allthogh there is the right http-URL configured and in the certicate which can be accessed by the browser.
</div>

<div>
I now uses Enable-ExchangeCertificate command and tried to activate the certificate with the unabled revocation like it`s mentioned on: <a href="http://blogs.technet.com/b/exchange/archive/2010/07/26/3410505.aspx" rel="ugc">http://blogs.technet.com/b/exchange/archive/2010/07/26/3410505.aspx</a> 
and 
<a href="http://technet.microsoft.com/en-us/library/aa997231.aspx" rel="ugc">http://technet.microsoft.com/en-us/library/aa997231.aspx</a> 
 
 

<pre><code class="code-1 nolinks" id="code-20-38149847-1">Enable-ExchangeCertificate -Thumbprint xxxxxx -Services POP,IIS
</code></pre>
 
After that there is the servie &quot;SMTP&quot; added to this certificate allthough I didn`t use it in the command. 
Now I`m afraid that something will fail because the certificate which has th wrong revocation status has SMTP enabled. 
Unfortunately now it is not possible to disable SMTP. 
 
As far as I can see and test, all mail goes out and in. 
 
Can somebody help?
</div>

<div>
So the CRL error message on certificate is solved or still u have it? what is the problem in moving the SMTP service to another certificate?
</div>

<div>
I still have this error with the self-signed cerificate from my AD-CA. Let me cut this post into 2 parts because I think it`s about different topics: 
 
1. 
There are two more certificates &quot;Microsoft Exchange&quot; where the issuer is the exchange server himself. Those two certificates have also assigned &quot;SMTP&quot;. 
I was oly afraid that any mail flow could fail because of the revocation failure with the certificate and &quot;SMTP&quot; assigned to it. 
Ich which case is this certificate used for SMTP? We have a single exchange2010 with CAS, Mailbox Hub-Transport installed. 
Income mail is received via PopCon from only mailboxes and delivered to local mailboxes. Outgoing mail goes through an internet mailrelay of our provider. 
 
2. 
There still is the error that revocation is not possible. 
I first figuered out that my Enterprise-CA doesn`t show anyproblems anymore. 
The old self-signed certificate has as CRL-URL the old CA-Server. So it can not access it fo CRLs. 
If I try to create a new certificate ECM shows the same error message allthough in the certificate there is the correct CRL-URL 
 
Here are my Locations´ 
CRL-Location #1: 

<pre><code class="code-1 nolinks" id="code-20-38152008-1">ldap:///CN=example%20GmbH%20CA,CN=exampleDC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=example,DC=de?certificateRevocationList?base?objectClass=cRLDistributionPoint
</code></pre>
 
CRL-Delta-Location #1: 

<pre><code class="code-1 nolinks" id="code-20-38152008-2">http://exampleDC.example.de/CertEnroll/example%20GmbH%20CA+.crl
</code></pre>
 
CRL-Location #2: 

<pre><code class="code-1 nolinks" id="code-20-38152008-3">http://exampleDC.inside.de/CertEnroll/example%20GmbH%20CA.crl
</code></pre>
 
CRL-Delta-Location #2: 

<pre><code class="code-1 nolinks" id="code-20-38152008-4">ldap:///CN=example%20GmbH%20CA,CN=exampleDC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=example,DC=de?deltaRevocationList?base?objectClass=cRLDistributionPoint
</code></pre>
 
Where exampleDC is our CA-server. 
 
All those locaions show up as OK in &quot;Enterprise-PKI&quot;-snapin. 
 
Any idea?
</div>

<div>
Your new CA is on DC? 
The new certificate (which shows error), whats the CDP entry on it? new CA or old CA? 
 
sorry, I got your CDP entries. 
 
will you check the sequence of URLs, certutil -getreg CA\CRLPublicationURLs
</div>

<div>
Yes my new CA is a DC &nbsp;Win2K8 R2. Before migration it was also a dc which is demoted now and it was a Win2K3. 
 
CDP new Certificate: 

<pre><code class="code-1 nolinks" id="code-20-38152121-1">URL=http://example.example.de/CertEnroll/example%20GmbH%20CA.crl

 URL=ldap:///CN=example%20GmbH%20CA,CN=exampleDC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=example,DC=de?certificateRevocationList?base?objectClass=cRLDistributionPoint
</code></pre>
 
certutil -getreg CA\CRLPublicationURLs: 

<pre><code class="code-10 nolinks" id="code-20-38152121-2">c:\Windows\System32\certsrv\CertEnroll&gt;certutil -getreg CA\CRLPublicationURLs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\example GmbH CA\CRLPublicationURLs:

 CRLPublicationURLs REG_MULTI_SZ =
 0: 65:C:\WINDOWS\system32\CertSrv\CertEnroll\%3%8%9.crl
 CSURL_SERVERPUBLISH -- 1
 CSURL_SERVERPUBLISHDELTA -- 40 (64)

 1: 0:file://\\%1\CertEnroll\%3%8%9.crl

 2: 6:http://%1/CertEnroll/%3%8%9.crl
 CSURL_ADDTOCERTCDP -- 2
 CSURL_ADDTOFRESHESTCRL -- 4

 3: 79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
 CSURL_SERVERPUBLISH -- 1
 CSURL_ADDTOCERTCDP -- 2
 CSURL_ADDTOFRESHESTCRL -- 4
 CSURL_ADDTOCRLCDP -- 8
 CSURL_SERVERPUBLISHDELTA -- 40 (64)

CertUtil: -getreg-Befehl wurde erfolgreich ausgeführt.
</code></pre>
</div>

<div>
The SMTP service does not need a certificate. It does opportunistic TLS. If it finds another SMTP server that has a certificate and does TLS then they do TLS. If the other server does not do TLS it does not do TLS (no certificate needed). 
 
The certificate is not important. It is exchanged every time TLS is used and does not have to match anything else. 
 
So you can change the certificate that is used for SMTP and restart the transport service.
</div>

<div>
I can`t change it becaus e of the revocation-message. This isn`t resolved yet. 
As long as I`m not able to add a new valid certificate I can`t change any services. 
 
As I told, CA is OK now but new certificates will still fail.
</div>

<div>
Hi wasim, 
 
One of the steps did the trick. 
First I set the renewal interval to 30 weeks. 
After tha I deacitivated publishing of http and setting only 2 options fo ldap publishing. 
After restart of CA my old certificat in exchange shows up OK. 
So I reset the renewal interval to 1 week and delta 1 day and restarted the CA. 
 
Creating new certificates now also works. 
 
Please have a look at my extension-configuration attached. 
Can you tell my whether this is a working configuration? 
 
<a href="https://filedb.experts-exchange.com/incoming/2012/07_w27/587320/Extensions.pdf" target="_blank" class="file-inline" title="extensin-config (529 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>Extensions.pdf</a> 
 
I wonder why the old certificate is working now allthough it has the wrong CRL-URL inside.
</div>

Extensions.pdf

<div>
Configuration is correct, wish to give http url a try n see what results comes up? 
Did u check the CDP value on old certificate?
</div>

<div>
CDP of old certificate has old server as CDP. 
Do I have to use http or is ldap enough? I`m happy it is working right now so I don`t want to make further experiments. 
In my test-lab there also is ldap the only CDP and there everything is working fine. 
I don`t really know why this is fixed now... But it it fixed! 
I`m not having any Delta-CDPs right now. Is this a problem?
</div>

<div>
<div class="content wysiwyg-content">
Hi Experts, 
 
today I saw that the exchange certificate I imported for OWA has the following status: 

<blockquote>
 
The Certificate Status could not be determined because the revocation check failed 

</blockquote>
 &nbsp; 
 
The certificate is from ou own CA which is located on our local network and it is for POP and IIS. When I created the certificate everything worked fine and the status was OK. 
Now that the status is as described also everything seems to be working fine. The OWA-Website can be accessed using https without certificate-warnings. 
 
So now I found some articles about wrong WinHTTP-Proxy-Setting. 
<a href="http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/299c8ebe-223c-43ab-8cbc-c8221991813a/" rel="ugc nofollow">http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/299c8ebe-223c-43ab-8cbc-c8221991813a/</a> 
 
OK, we have a proxy-server but it is not configured for the exchange server. The WInHTTP settings on exchange show &quot;direct connection&quot;. 
 
We made changes to our network infrastructure some weeks ago (supertnet, new DHCP-ranges, moved CA to anather server). 
Could those changes be responsible for this issue? 
 
Of course I can set the WinHTTP-Proxy settings to our proxy server but I don`t understand why I should do this. And our proxy requieres authentication... 
 
Has anybody a hint what I could do? 
 
Thanks a lot.
</div>
</div>

Hi Experts,

today I saw that the exchange certificate I imported for OWA has the following status:

The Certificate Status could not be determined because the revocation check failed
  

The certificate is from ou own CA which is located on our local network and it is for POP and IIS. When I created the certificate everything worked fine and the status was OK.
Now that the status is as described also everything seems to be working fine. The OWA-Website can be accessed using https without certificate-warnings.

So now I found some articles about wrong WinHTTP-Proxy-Setting.
http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/299c8ebe-223c-43ab-8cbc-c8221991813a/

OK, we have a proxy-server but it is not configured for the exchange server. The WInHTTP settings on exchange show "direct connection".

We made changes to our network infrastructure some weeks ago (supertnet, new DHCP-ranges, moved CA to anather server). 
Could those changes be responsible for this issue?

Of course I can set the WinHTTP-Proxy settings to our proxy server but I don`t understand why I should do this. And our proxy requieres authentication...

Has anybody a hint what I could do?

Thanks a lot.

The Certificate Status could not be determined because the revocation check failed

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.