This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 23%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Hi, I have seen this issue a couple of times now. When I request a new SSL certificate to be used in Exchange, an official Sectigo certificate, and I want to start using it right away in Exchange I usually get the message "Certificate Revocation Check Failed". At this point the certificate cannot be used even though it is valid. If you use MMC with Certificates it tells me everything about the certificate is OK.
I have seen a lot of posts online with all sort of fixes but the last 3 times this happened to me, the issue went away by itself after 24 hours without me doing anything at all.
So to me it seems there has to be some sort of process on the server that performs this check, either a service that checks or a list of certificates that is being verified with an offline cache or something.
Does anyone know how to trigger a new certificate revocation check for Exchange? There has to be a process that does this. I also believe rebooting the server fixed this message right away but I don't want to bother so many users.
I am absolutely sure that if I come back to this post in 24 hours from now the issue has disappeared by itself.
I am writing here to confirm with you any update about this thread now.
If the suggestion below helps, please feel free to accept it as an answer to help more people.
Make sure your Exchange server can connect to the Internet, otherwise it cannot communicate with the CA server to check your certificate state.
If you are using Exchange 2010, this article may also be useful to you: Certificate status could not be determined because revocation check failed when importing third-party certificate
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 57.99999999999999%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJJ%3C/text%3E%3C/svg%3E)
Even though this post is old, the issue still occurs. In my case if had to do with the delay between when GoDaddy issued the certificate and when they actually placed the .crl file on their web crl site. Check for the .crl as Andy mentioned above, if it doesn't find it, the file has not been replicated yet and you will have to wait. Took about an hour for me.
They must publish CRL on CDP as soon as they revoke the certificate.
Typically you just need to browse to the CDP URL from the server to force it:
So check the cert for that URL:
If that doesnt work, clear the cache on the server:
https://exchangemaster.wordpress.com/tag/crl/
Another option that may work:
Download the Digicert Cert checker and run it on the server:
https://www.digicert.com/support/tools/certificate-utility-for-windows
Thanks, I wanted to check this but before I was able to, the issue resolved itself without me even doing anything. So now I won't be able to replicate this. I will check this next time to see if this helps.
Browsing the CDP URL will not force the server to check the CRL. It just reassures that there is no connectivity issue for the server to download the CRL.
@casper
For Microsoft Exchange to download CRL from the belonging distribution point and contact the OCSP server, you need to open port 80 from the Exchange Server toward the OCSP and CDP servers on the firewall. the connection establishment is one-way so that it would remain secure.
"certutil.exe -urlcache crl delete" will remove all the CRL cache from the server. Execute it with SystemAccount to make sure CRL cache is removed from computer profile.