Exchange Server Unable to Verify CRL

Just recently ran into another issue related to certificate revocation list (CRL) verification. This time it was an Exchange 2010 organization that had been fine when we initially installed the certificates, but now in the Exchange Management Console was showing the currently assigned certificate with a red X and an error message indicating that the CRL for the certificate could not be verified.

The certificate was still valid, but the Exchange server couldn't verify that it hadn't been revoked. No clients were affected by this issue. Viewing the certificate on a client accessing OWA showed as valid.

Like many organizations, this organization has a proxy between the internal network and the Internet. For the Exchange Servers to verify the CRL, they need to download it from the source specified in the certificate. This had been working, so, what changed?

It turns out that as part of troubleshooting connectivity to WSUS from the Exchange servers, the proxy configuration was removed. The connectivity for CRL verification is handled by the operating system. So, we needed to setup the proxy again.

The simplest way to configure the proxy for the operating system is to first configure the proxy settings in IE and them import them. After configuring IE proxy settings properly, use the following steps:

1. Open a command prompt.
2. Type netsh and press Enter.
3. At the netsh prompt, type winhttp and press Enter.
4. Type import proxy source = ie and press Enter.

For some other notes about Exchange Server and proxies, see: http://byronwright.blogspot.ca/2014/09/firewalls-and-proxy-for-exchange-hybrid.html

For some additional info about verifying certificates, see: http://byronwright.blogspot.ca/2016/10/expired-offline-root-ca-crl-causes.html