Hi, I am setting up an Edge Transport server without using EdgeSync. I have successfully enabled TLS certificates on both internal Hub Transport Servers, and also on the Edge Transport server, using my Internal PKI. For the edge server, I have imported the Trusted Root CA certificate chain from my PKI. I can send email externally OK. However, when I receive email from the internet and the Edge relays to the Hub, I receive an error that the Edge transport cannot validate the certificate of the Hub, specifically the error is "RevocationOffline" I have checked the certificates on all servers, and they have LDAP, HTTP and File "CRL Distribution Points" defined. On the CA, I note that for the HTTP CDP, the option to "Publish CRLs to this location" is greyed out. However, the options for "Include in CRLs" and "Include in the CDP extension of issued certificates" is ticked. For file, everything except the last and second option are ticked. For LDAP, all but the last option is ticked. I have allowed confirmed access to the HTTP location and also the file location from the Edge server. However, I still recieve the error "RevocationOffline". How come the option to Publish to HTTP CDP is greyed out, this is my next thought of where the problem lies. Does anyone have any other ideas or solutions?

I have checked in pkiview.msc that both the CRL and Delta CRL CDP are OK. I can browse to both HTTP locations from the Edge Transport server. However only the CRL location is located in the certificate, I assume this is used to find the delta HTTP URL. when I download the CRL or Deltra CRL file, and look at the "Published CRL Locations" field I only see the LDAP URL, is this normal? Any ideas, why the Edge server still cannot check the revocation status?

When I export the cert of the Hub, copy it to the Edge and run certutil -verify -urlfetch cert.cer It says Failed "CDP" which is the LDAP path It then says Verified "Base CRL (02)" which is the HTTP path

In regards to publishing CRL to HTTP CDP, ADCS does not support publishing to HTTP CDP and you need to make sure the CRL files are copied to the designated web server/site. The "Published CRL Location" path is not used during the validation and for delta CRL the "Freshest CRL" path is used to locate and download the delta. Make sure at least one CDP URL is reachable from the edge server and that the freshest CRL files are automatically published/copied to that location. Are you using any HTTP proxy to access web resources when logged in as a user? /Hasain

Thanks for the reply. HTTP URL is accessible from Edge server. No proxy is being used, the Edge server is in DMZ and HTTP traffic is routed to the internal CRL. Below is output of running certutil -verify -urlfetch on the Edge server - As you can see this command says it successfully verifies. All that I can think is that it is failing on the LDAP path's and for some reason is not trying the HTTP URLs Are you able to see anything else wrong with the output? C:\Users\Administrator>certutil -verify -urlfetch c:\exchange.cer Issuer: CN=SUBCA DC=company DC=net DC=au Subject: CN=mail.company.net.au OU=IT O=company L=Brisbane S=QLD C=AU Cert Serial Number: 61f95c1e000000000008 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 6 Hours, 8 Minutes, 18 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 6 Hours, 8 Minutes, 18 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=SUBCA, DC=company, DC=net, DC=au NotBefore: 17/06/2012 5:38 PM NotAfter: 17/06/2014 5:38 PM Subject: CN=mail.company.net.au, OU=IT, O=company, L=Brisbane, S=QLD, C=AU Serial: 61f95c1e000000000008 SubjectAltName: DNS Name=mail.company.net.au, DNS Name=autodiscover.company.net. au, DNS Name=servername1.company.net.au, DNS Name=servername2.company.net.au Template: WebServer 7b 68 57 a7 97 21 49 de a6 11 ff 7d 80 1a 37 2e b8 8d fa d0 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- Failed "AIA" Time: 0 Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55) ldap:///CN=SUBCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configurat ion,DC=company,DC=net,DC=au?cACertificate?base?objectClass=certificationAuthority Verified "Certificate (0)" Time: 0 [1.0] http://servername.company.net.au/CertEnroll/servername.company.net.au_SUBCA. crt ---------------- Certificate CDP ---------------- Failed "CDP" Time: 0 Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55) ldap:///CN=SUBCA,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,C N=Configuration,DC=company,DC=net,DC=au?certificateRevocationList?base?objectClas s=cRLDistributionPoint Verified "Base CRL (03)" Time: 0 [1.0] http://servername.company.net.au/CertEnroll/SUBCA.crl Verified "Delta CRL (03)" Time: 0 [1.0.0] http://servername.company.net.au/CertEnroll/SUBCA+.crl ---------------- Base CRL CDP ---------------- OK "Delta CRL (03)" Time: 0 [0.0] http://servername.company.net.au/CertEnroll/SUBCA+.crl ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CRL 03: Issuer: CN=SUBCA, DC=company, DC=net, DC=au f2 00 a7 e8 f7 89 3c fa ad 47 42 1e 15 d9 8c a8 4d 87 29 40 Delta CRL 03: Issuer: CN=SUBCA, DC=company, DC=net, DC=au 96 dc 5b 4b e3 f6 c5 3a 0e 46 96 2e 15 1d c9 e0 d6 4b 86 b9 Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=company-ROOTCA NotBefore: 17/06/2012 1:19 PM NotAfter: 17/06/2022 1:29 PM Subject: CN=SUBCA, DC=company, DC=net, DC=au Serial: 122c101c000000000003 Template: SubCA 36 36 47 1f da 7e c4 bc 2e 51 fd 06 27 c7 38 93 49 b4 5c 31 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- Failed "AIA" Time: 0 Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55) ldap:///CN=company-ROOTCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Co nfiguration,DC=company,DC=net,DC=au?cACertificate?base?objectClass=certificationA uthority Verified "Certificate (0)" Time: 0 [1.0] http://servername.company.net.au/CertEnroll/ROOTCA_company-ROOTCA.crt ---------------- Certificate CDP ---------------- Failed "CDP" Time: 0 Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55) ldap:///CN=company-ROOTCA,CN=ROOTCA,CN=CDP,CN=Public%20Key%20Services,CN=Serv ices,CN=Configuration,DC=company,DC=net,DC=au?certificateRevocationList?base?obje ctClass=cRLDistributionPoint Verified "Base CRL (05)" Time: 0 [1.0] http://servername.company.net.au/CertEnroll/company-ROOTCA.crl ---------------- Base CRL CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CRL 05: Issuer: CN=company-ROOTCA 60 49 94 04 05 fe 8d bd 7b 5a dc 91 28 82 f0 87 20 f4 16 2f CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=company-ROOTCA NotBefore: 29/12/2011 10:52 PM NotAfter: 29/12/2031 11:02 PM Subject: CN=company-ROOTCA Serial: 494184a83f01338441f6f4e4af188328 6f 7f df 5c 97 05 35 46 4a d1 c5 1e a0 a7 08 d7 23 3f 13 0b Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: 05 80 ff 77 17 b0 e6 07 75 77 1e ec fe 86 03 37 69 ce cb bc Full chain: 7a e3 77 48 e8 66 f4 03 2d a6 ee b0 26 0c 25 59 de 04 1f 8d ------------------------------------ Verified Issuance Policies: None Verified Application Policies: 1.3.6.1.5.5.7.3.1 Server Authentication Leaf certificate revocation check passed CertUtil: -verify command completed successfully.

Any ideas?

Hello, Thank you for your post. This is a quick note to let you know that we are performing research on this issue. Best Regards Elytis ChengElytis Cheng TechNet Community Support