Exchange 2010 - UCC Certificate "The certificate is invalid for Exchange Server Usage"

posted 4 Oct 2011, 02:11 by Tristan Self   [ updated 4 Oct 2011, 02:18 ]
I was getting the errors of “The Certificate is Invalid for Exchange Server Usage” to “The certificate status could not be determined because the revocation check failed.”

Here is how I fixed them in our test environment before we deployed to live, the first error is a common one, the second one seems to only be if you use a proxy server, or you have a web filter that is a bit overenthusiastic.

“The Certificate is Invalid for Exchange Server Usage” fix:

http://exchangeserverpro.com/exchange-server-2010-certificate-invalid-for-exchange-server-usage-error I imported the CA root and then intermediate CA certs into the root and intermediate stores respectively. 

My CA provider had given me a zip with 4 files:

The certificate.crt file, which is the actual certificate i'd asked for and the below three files which I imported.

The “AddtrustExternalCARoot.crt” file needs to be imported into the “Local Computer\Trusted Root Certification Authorities” store.

The “TERENASSLCA.crt” and “UTNAddTrustServer_CA.crt” needed to be imported into the “Local Computer\Intermediate Certification Authorities” store.


“The certificate status could not be determined because the revocation check failed” fix:

I performed the steps in here (see link below), normally in the production environment we would not be using a proxy server so would not need to do this: http://exchangeserverpro.com/exchange-2010-certificate-revocation-checks-and-proxy-settings. I also needed to put in an exception in the IE proxy settings for “server.domain.co.uk” (so the Exchange Powershell doesn’t break) and then rerun the command to import the proxy settings into the winhttp proxy, restarted the “Winhttp Web Proxy Auto-discovery Service” to pick up the new settings. 

Once i'd fixed these two problems I could then assign the certificate some services and make use of it.

Comments