I have a Windows 2003 certificate authority with an offline RootCA and an online Issuing CA. I also have Exchange 2010 and have requested an internal certificate from my internal CA. After importing the Exchange cert, i see an error about the certifcate not being valid because the revocation check failed. I then ran certutil verify urlfetch C:\CertificateName.cer >Log.txt on the certificate and noticed this error in the log: ---------------- Certificate AIA ---------------- Revocation Check Failed "Certificate (0)" Time: 0 [0.0] ldap:///CN=MyOrg,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Domain,DC=Local?cACertificate?base?objectClass=certificationAuthority Revocation Check Failed "Certificate (0)" Time: 0 [1.0] http://CAserver/CertEnroll/CAserver.local_MyOrg.crt The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613) I ran the same command on another internal cert and see the same errors in the log. This lead me to believe theres nothing wrong with Exchange and that its a cert issue instead. I then used pkiview to open our certificate authority and noticed that under the RootCA, the CDP locations have expired (http and ldap) however under the Issuing CA tree, the CDP locations are ok. Could this be why the revocation checks are failed. The offline CA server is not here anymore, how can i fix this issue without the root CA server?

You should bring up your offline root CA and republish its CRL to both the web server and ldap as http://technet.microsoft.com/en-us/library/cc782041(v=WS.10).aspx You can refer to http://www.microsoft.com/downloads/details.aspx?FamilyID=0BC67F4E-4FCF-4717-89E8-D0EE5E23A242&displaylang=e&displaylang=en for more information about the best practises for PKI which contains the following description about the CRL configuration for offline root CA, A CRL for an offline CA should always be published a few days before expiration to allow for unexpected issues. The publication interval for issuing CAs should be set according to the type to issued certificates. Authentication certificates might require a less frequent publication schedule than other certificate types.l love .net