Cannot access CRLs when the CRL distribution point specified in digital certificates is accessible only through LDAP or HTTP and the user's Exchange server is behind a firewall

Problem description

This issue is similar to the earlier issue where authority information access is accessible through LDAP or HTTP, and the Exchange server is behind a firewall and cannot connect through the firewall over the protocol specified in authority information access. In this case, the certificate revocation list (CRL) distribution point is accessible either through LDAP or HTTP, and the Exchange server is behind a firewall.

By default, when behind a firewall, the Exchange server cannot successfully make LDAP or HTTP connections to the CRL distribution point specified in the certificates. As a consequence, the Exchange server cannot connect to the CRL distribution point to retrieve CRLs when validating digital certificates.

If a user's Exchange server is unable to retrieve CRLs, the user may be unable to send signed or encrypted e-mail messages, depending on the value of the CheckCRL registry key. For more information about this registry key, see "CheckCRL (DWord)" in Outlook Web Access S/MIME Control-Related Settings.

Resolution

To resolve this issue, do either of the following:

• Download the CRL from the CRL distribution point manually, and import it into the Local Computer certificate store of the user's Exchange server. For detailed steps, see How to Manually Import a CRL.

• Install and configure a firewall client for the appropriate protocols on the recipient's Exchange server.