The certificate was still valid, but the Exchange server couldn't verify that it hadn't been revoked. No clients were affected by this issue. Viewing the certificate on a client accessing OWA showed as valid.
Like many organizations, this organization has a proxy between the internal network and the Internet. For the Exchange Servers to verify the CRL, they need to download it from the source specified in the certificate. This had been working, so, what changed?
It turns out that as part of troubleshooting connectivity to WSUS from the Exchange servers, the proxy configuration was removed. The connectivity for CRL verification is handled by the operating system. So, we needed to setup the proxy again.
The simplest way to configure the proxy for the operating system is to first configure the proxy settings in IE and them import them. After configuring IE proxy settings properly, use the following steps:
- Open a command prompt.
- Type netsh and press Enter.
- At the netsh prompt, type winhttp and press Enter.
- Type import proxy source = ie and press Enter.
For some additional info about verifying certificates, see: http://byronwright.blogspot.ca/2016/10/expired-offline-root-ca-crl-causes.html