Exchange 2010 - Revoked SSL certificate

We were having an issue with re-keying an SSL cert for our OWA site.  As of this afternoon, we are running the new cert, however EMC is showing an error with the revocation status and it seems negligible to the functionality so far.  

Here is what happened: We went to install the new cert from GoDaddy, requested the cert to be rekeyed, went through the CSR process, downloaded the new cert, completed the request, then realized the cert process gave an error with revocation failing.  

Immediately I was trying to troubleshoot with networking and possibly issues with the firewall, but everything was wide open.  Upon countless searches I came across many people fixing their issues with NetSh commands to our proxy (we have it set to direct connection), but that did not fix our issue.  

Next I tried adding the CRL sites into the Trusted zones, let the firewall let all traffic from our subnet out without any restrictions, I tried clearing out the queues on CertUtil for both, that did nothing as well.  

I finally decided to check the cert manually and noticed there was no error.  According to CertUtil, the cert was completely fine.  So I started poking around IIS and realized it's still wanting to use the old cert obviously because the new one "is revoked and not authorized for use", and I forcibly added the cert there, went back to the EMC and noticed the cert still revoked, but has IIS as a service.

I tested with my mobile devices and confirmed the new cert is now being used.  This sounds all great, but the cert shows as a big red X and I'm afraid to even touch this considering the amount of damage this causes our users, especially since about half rely on mobile email.  

My question is, how can I troubleshoot this more?  What kind of options do I have to clean this mess up?  Is my work-around acceptable for long term use?  (we have about 4 years left on the cert).  

Any options and suggestions would be greatly welcomed!
OCUWAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ChrisCommented:
after you installed the new cert did you attach to the services and then give them a restart to allow them to attach them?

http://exchangeserverpro.com/how-to-assign-an-ssl-certificate-to-exchange-server-2010-services/
0
ChrisCommented:
when you say you manually checked it did you do this by opening up the cert and looking at it?

you can use certutil to check them

certutil -f –urlfetch -verify mycertificatefile.cer

or
certutil -URL [URL]  (where Url is the CRL point in the cert you have)
0
OCUWAuthor Commented:
after you installed the new cert did you attach to the services and then give them a restart to allow them to attach them?

No, you aren't allowed to assign it any services while it displays the error.  The only options available through the EMC are to renew or remove.  I know I could manually assign it the IIS service through cmdlet, but that could have an adverse effect on the service itself and opted out of doing so.

I manually checked the cert with the command you put down; the output showed it completed without errors and matched up with GoDaddy's website.  I'm confused why Exchange won't approve the cert but CertUtil will.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

ChrisCommented:
exchange is more restrictive in its revocation checks - have seen this issue once in our environment

have a look at this technet blog http://blogs.technet.com/b/exchange/archive/2010/07/26/emc-and-certificates-with-failed-revocation-checks-in-exchange-2010.aspx

try the enable-exchangecert cmdlet to see if you can force it

along with the netsh commands you can trying running IE to see if there any IE settings which have been tatooed into the registry

using psexc from the sysinternals pack

pseexec -s -i %programfiles%\internet explorer\iexplore

check to see what proxy settings it has there
0
OCUWAuthor Commented:
Thanks for the blog URL, but I went through the entire thing multiple times with no luck, obviously, with the exception of the cmdlet attempt.  Would doing so have any adverse effect on the production environment, in the case it fails?

I ran the command and it appears it was using our proxy server, which is strange since netsh was direct connect as well as the IE settings under the current logged in user.  The settings were correct, however, and I was able to browse the URL given from the cert itself.
0
ChrisCommented:
as long as you are confident of the cert then no it shouldn't. You are just enabling the cert and the services that you will attach to the cert.
If you do it out of hours then you can check and make sure its functioning before worrying about users.

We have had issues with the proxy server settings tattooing into the registry. If you look into HKEY_USERS and s-1-5-18 you should be able to find the proxy settings in there and may be in the default user as well.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
OCUWAuthor Commented:
Well technically the cert is already enabled within EMC with IIS as the only service, it just shows a fat red X and an error.  I will try and enabling it through the cmdlet and use a VMWare snapshot just in case things go south.

Thanks for the additional info!
0
OCUWAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for OCUW's comment #a39575116

for the following reason:

Excellent response time and submissions.
0
ChrisCommented:
points don't seem to have been assigned
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.