I had an issue a while back with performing certificate revocation checking. The SAN cert installed wasn’t working because the VLAN the servers are on did not have direct internet access. I needed to get the proxy to allow my Exchange servers (which are using the System account to do CRL checking) unauthenticated access to *.verisgn.com and *.verisign.net
In order to do this I had to follow the information I found in my old colleague Marcin's blog (http://unified.swiatelski.com/2011/01/exchange-2010-certificate-status.html) which did just relay what Microsoft publish (http://technet.microsoft.com/en-us/library/bb430772.aspx) but with the added warning:
Notice: Please remember to set value of bypass-list parameter to your local Active Directory domain FQDN. If you pass over this part you won't be able to connect to your Exchange using Exchange Management Console nor PowerShell.
I would have put that in BOLD and possibly RED AND BOLD, because it is more than just a minor annoyance. Maybe even RED AND BOLD UNDERLINED.
Also noteworthy is the following blog with some tips and troubleshooting information for this scenario:
http://blogs.microsoft.co.il/blogs/yuval14/archive/2011/09/20/how-to-resolve-exchange-2010-error-message-the-certificate-status-could-not-be-determined-because-the-revocation-check-failed.aspx
And the following information that I deduced or gathered elsewhere:
· CRL checking is performed at random intervals, but after modifying winhttp settings, you should reboot the server and wait for up to an hour
· To view logging, go to Event Viewer, Applications and Services Log, Microsoft, Windows, CAPI2 and enable the operational log
· Set-ExchangeServer –InternetWebSettings should work, but doesn’t