Cannot access CRLs when the CRL distribution point specified in digital certificates is accessible only through LDAP or HTTP and the user's Exchange server is behind a firewall


Topic Last Modified: 2005-05-19

This issue is similar to the earlier issue where authority information access is accessible through LDAP or HTTP, and the Exchange server is behind a firewall and cannot connect through the firewall over the protocol specified in authority information access. In this case, the certificate revocation list (CRL) distribution point is accessible either through LDAP or HTTP, and the Exchange server is behind a firewall.

By default, when behind a firewall, the Exchange server cannot successfully make LDAP or HTTP connections to the CRL distribution point specified in the certificates. As a consequence, the Exchange server cannot connect to the CRL distribution point to retrieve CRLs when validating digital certificates.

If a user's Exchange server is unable to retrieve CRLs, the user may be unable to send signed or encrypted e-mail messages, depending on the value of the CheckCRL registry key. For more information about this registry key, see "CheckCRL (DWord)" in Outlook Web Access S/MIME Control-Related Settings.

To resolve this issue, do either of the following:

  • Download the CRL from the CRL distribution point manually, and import it into the Local Computer certificate store of the user's Exchange server. For detailed steps, see How to Manually Import a CRL.

  • Install and configure a firewall client for the appropriate protocols on the recipient's Exchange server.

If the recipient's Exchange server is running Windows Server 2003, you do not need to install a separate firewall client. Windows Server 2003 has built-in firewall client capabilities that you can configure using ProxyCFG.exe. For more information about ProxyCFG.exe, see Windows Server 2003 Help.