Notes from the Field

Remember to Update your CRLs (if you have an Offline Root CA)

I had an interesting issue crop up two weeks ago in my VMware View environment –  it basically stopped accepting all the certificates from my internal CA as valid.  The logs showed that they were failing on a revocation check, and I had to disable revocation checking on both of my connection brokers after opening a case with VMware.  View 5.1 requires valid certificates on the connection brokers and VCenter, and if those certificates expire, are revoked, or are unable to be checked against a revocation list, the system will choke on them.

A similar issue reared its ugly head on my Exchange Server today when I had to replace an expiring certificate.  I received a similar error in my Exchange 2010 Management Console, and a little digging led me to some tips to better troubleshoot this issue.  It turns out that the issue was an expired revocation from my Offline Root CA, which has been…well…offline for a while, that needed to be updated. Once I updated the list and copied it to the distribution point, all of the issues I was having cleared up.

The tips in this post helped greatly when troubleshooting this issue: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/348a9b8d-8583-488c-9a96-42b892c4ae77/

Advertisements