Certificate Revocation Check Failed Microsoft Exchange 2016

Caspar 281 Reputation points
2021-12-08T15:29:17.15+00:00

Hi, I have seen this issue a couple of times now. When I request a new SSL certificate to be used in Exchange, an official Sectigo certificate, and I want to start using it right away in Exchange I usually get the message "Certificate Revocation Check Failed". At this point the certificate cannot be used even though it is valid. If you use MMC with Certificates it tells me everything about the certificate is OK.

I have seen a lot of posts online with all sort of fixes but the last 3 times this happened to me, the issue went away by itself after 24 hours without me doing anything at all.

So to me it seems there has to be some sort of process on the server that performs this check, either a service that checks or a list of certificates that is being verified with an offline cache or something.

Does anyone know how to trigger a new certificate revocation check for Exchange? There has to be a process that does this. I also believe rebooting the server fixed this message right away but I don't want to bother so many users.

I am absolutely sure that if I come back to this post in 24 hours from now the issue has disappeared by itself.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,212 questions
{count} votes

3 answers

Sort by: Most helpful
  1. KyleXu-MSFT 26,196 Reputation points
    2021-12-09T07:11:31.297+00:00

    @Caspar

    Make sure your Exchange server can connect to the Internet, otherwise it cannot communicate with the CA server to check your certificate state.

    If you are using Exchange 2010, this article may also be useful to you: Certificate status could not be determined because revocation check failed when importing third-party certificate


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


    1 person found this answer helpful.
    0 comments No comments

  2. Andy David - MVP 138K Reputation points MVP
    2021-12-08T16:04:33.1+00:00

    Typically you just need to browse to the CDP URL from the server to force it:
    So check the cert for that URL:

    155890-image.png

    If that doesnt work, clear the cache on the server:

    https://exchangemaster.wordpress.com/tag/crl/

    Another option that may work:

    Download the Digicert Cert checker and run it on the server:

    https://www.digicert.com/support/tools/certificate-utility-for-windows


  3. John Jones 0 Reputation points
    2024-01-22T16:56:15.94+00:00

    Even though this post is old, the issue still occurs. In my case if had to do with the delay between when GoDaddy issued the certificate and when they actually placed the .crl file on their web crl site. Check for the .crl as Andy mentioned above, if it doesn't find it, the file has not been replicated yet and you will have to wait. Took about an hour for me.

    0 comments No comments