Exchange Hybrid Configuration Wizard Certificate Issues

Leave a reply

Setting up a hybrid environment for Exchange can sometimes be a tricky process, especially when dealing with certificates. Recently, I encountered a problem during the Exchange Hybrid Configuration Wizard setup where the certificate from a public certificate authority (CA) was not available for selection. Here’s a detailed account of how I diagnosed and resolved the issue.

While running the Hybrid Configuration Wizard, I noticed that the online certificate I needed wasn’t available for selection, despite having signed certificates displayed. A quick search suggested that the commercial certificate might be incorrectly installed.

This led me to check the certificate using PowerShell and specifically focus on the RootCAType property.

The RootCAType property is crucial in identifying the kind of CA that issued the certificate:

  • ThirdParty: Indicates a commercial, public root CA.
  • Registry: An internal, private PKI root CA manually installed.
  • None: No CA information.

For the hybrid setup, the RootCAType should return ThirdParty. If it returns Registry or None, the certificate won’t be listed in the Hybrid Configuration Wizard, indicating a need to reimport the certificate and configure it correctly.

In my case, the RootCAType was correctly set to ThirdParty, eliminating this as the root cause.

When viewing the certificate I noticed that its status is RevocationCheckFailure.

I opened the certificate to find the URL for the Certificate Revocation List (CRL):

http://cdp.thawte.com/ThawteTLSRSACAG1.crl

Attempting to connect to this URL resulted in an error, indicating that the file was unavailable. This pointed towards a connectivity issue.

Given that the server wasn’t using a proxy server but was behind a firewall, I suspected the firewall might be blocking access to the CRL URL. I coordinated with the network technicians to investigate why this URL was being blocked.

After some investigation, the network team identified the block and subsequently opened access to the CRL URL. Once access was granted, the error was resolved. The Hybrid Configuration Wizard was then able to recognize and use the certificate without any issues.

Key takeaways include:

  1. Verify Certificate Installation: Ensure the certificate is correctly installed and recognized as ThirdParty.
  2. Check Revocation List Access: Ensure that the server can access the CRL URL to verify the certificate’s validity.

Ilia Rud

Leave a Reply

Your email address will not be published. Required fields are marked *